"when a lot of thr responsibility is is down to poor security practices"
They security practices may not have necessarily been poor - when you're against a determined and experienced foe, even best practices may not be enough. And there's always the human factor...
Creating an NSA (or any TLA) proof workplace / network would be pretty difficult to guarantee. Should I aim for TEMPEST Level A standards? Are seismographs too paranoid solution detect tunneling in? X-Ray everyone and everything going in/out the building? Board up all windows?