I read the original article, then the detailed statement and then this article to better understand what happened. I might consider myself as some one who has fairly good understanding of security flows. Here is my take:

1. The security flows are half baked and custom implemented, they do not present a coherent story

2. No one fully understands the ecosystem as a whole and so far no one has been able to track what actually happened, adding audit logs were not part of the product ask so no one ever added them in thoroughness

If I have to put my money then its the second one. The possible down the road action, at the most this incident would trigger more security engineers to be hired which may give the impression of improving things but in reality its probably going to create more blindspots where product engineers would hand out the responsibility to security engineers and they do not have much of an idea about the product flows