Great question. They're both at fault, but in my opinion Facebook deserves a lot of the blame for carelessly building a system with extremely lax privacy controls.
The functionality Cambridge Analytica used to get all that information was standard, fully supported functionality that Facebook made available to anyone who wanted to use it. Cambridge Analytica wasn't supposed to use it the way that they did, but there was nothing to stop them. Facebook also tried to keep CA's misuse a secret once they found out about it.
Facebook has since added more restrictions to what information third party apps have access to, but they added those restrictions primarily to prevent competitors from being able to use Facebook's user data to bootstrap their own social networks, not because they wanted to protect user privacy.