It is not correct to refer to CASA and aviation security in the same context. CASA has no input whatsoever into the enforcement of the ATSA and ATSR.
As for their relationship with Merimbula. When the ASIC debacle started back in about 2005 most, if not all, security controlled airports were automatically directed to become issuing bodies. That was culled back a few years ago to the relatively modest list that exists today. Merimbula from the outset through Aviation ID Australia set themselves up as a provider to GA. As Old Akro correctly said above, CASA made a complete dogs breakfast of it and although still required by legislation to be an issuing body, the day to day functions of receiving applications and issuing cards is done by AIDA.
I have been told that as a result of this breach the requirements that the Department has put on issuing bodies with regard to auditing of IT systems and gaining accreditation is going to be quite onerous - which is another word for expensive. The hacking appears to have been with the online submission of an applicants data. Many issuing bodies continue to use a manual paper based application process and the only online activity is the submission of the background check through the Departments secure website so unless you applied through AIDA or the other issuing body that was compromised, your information should remain safe.