Comment by defrost

It's in the national security interest of the United States to have its industries use robust security practices.

Industries with secure fences that are regularly patrolled are entirely different to industries with partial coverage by unpatrolled rusty fences and a freestanding door frame that has a titanium unpickable lock.

Passwords get compromised that's a fact.

How the single employee password that got breached was obtained is still (AFAIK) a mystery - but this will always happen ... given many employess, at least one will eventually make a mistake.

After that, the VPN had no multifactor authentication, the network had no internal honey subnets, canary accounts, sanity checks, etc.

High-quality crypto alone does not make for secure systems.

And systems can be secure with lower quality crypto if the systems are robust.