This is best interpreted as a lesson in why serious IT security is so rare.
It's hard for amateurs (e.g. 99% of IT managers) to understand what they need to do; security specialists (like network specialists) are exceptionally hard to understand, even by the standards of IT tech staff; and it's relatively expensive to set up and maintain good security.
Until people start caring about IT security (instead of just pretending) this kind of thing will remain the norm.
Eh, I find its usually one of 2 things. Either your getting audited regularly and your in CYA mindset or your one of those groups that gives no shits because you have little oversight and just cut corners. This sounds like their shop was the latter, and their security guy was prob just snoozing away as they were likely their own accreditor.
Some things that caught my eye in the (very few) articles and posts I read on this topic:
The US State Department appears to have major problems with security policy in general:
* There were numerous mentions of information that was originally ok to send in an email, and was then reclassified to a higher level later. Similarly there were differences in classification level between different US Government organizations were mentioned, with State normally the one that was least cautious
* At least one of Clinton's predecessors (Colin Powell?) used a private email server - so either there wasn't a policy against it, or policy enforcement even at that simple level wasn't serious
Neither of these are necessarily implementation failures as such - they are indications of "security theater".
The first means that incoming emails can become problematic - this effectively delegates security to the receiver rather than a serious process/system - of course it will fail sometimes. The second suggests that there might be rules, but they're not applied to everybody.
After I read those I stopped paying attention to the details /lol.
It was obvious there would be a few stored emails that weren't correctly secure. Percentage-wise it actually wasn't many, which suggests Clinton herself is quite careful. But that's the thing with serious security - if it's not 100% effective it fails, so depending on individuals to always act correctly is impractical.
It was equally obvious they'd never be able to prove their network security and authorization were at least as good as the organization's standard email servers.