The object of security is to make yourself a less desirable target. You do this through many ways, obfuscation (people don't know who you are or what you have) or obstacles (making getting your goods more trouble than it is worth). Rhere are many vulnerabilities to any network that connects to the internet at large. The only way to completely safeguard it is to never connect it to the world wide web.
Obfuscation is for suckers. Wait until you get your first malicious employee and you'll be done for. You need to protect from within as well as without. If your top level admins or senior data boys are out to get you, then its probably game over (those guys should be triple vetted), but anybody else should be manageable.
Otherwise, don't forget compartmentalising different parts of your system (putting a wall between the various parts of a city is not the same thing as just putting 3 outer walls). Ideally, different parts of the system should only have access to what they need to function and nothing more. It greatly mitigates losses when someone compromises something.
Also, you need good alerting (which hopefully won't get drowned out in a sea of noise). All the barriers in the world will only be momentary respite if you're not even aware that someone is trying to break in or has broken in and they have all the time in the world to do their thing.
As to why they could? Probably because VDPR had their own in house IT team set up their net security and we've seen how CDP handles net.security and web coding with GOG.
I'd be lenient on this one. GOG is a medium-sized company and the security landscape is a clusterf*ck. Most places either don't have a dedicated security team or don't have one that is well integrated with the rest of the teams (ie, actually aware of what developers are doing on the ground).
Also, last time I checked, universities didn't really include security in their curriculum so its something graduates have to pick up afterwards on the job or in their own time. And then, you have a whole bunch of people who don't even have a formal education or some kind of certification that show they have at least a rudimentary grasp of sound software development principles (you can get mad coding skills and still be pretty ignorant of the underlying building blocks of software systems). I mean, you know that there is a problem when you take a good honest look at the number of junior, intermediate or even senior developers that don't even understand, abstractly without going into encryption details, how a certificate chain works.
Also, some people with genius-level intellect are spending all their time figuring out how to break into systems and not all of them are doing it as security professionals to report flaws. They will do clever mind-bogging things like do statistical inference to determine the approximate value of secret keys if the time to encrypt/decrypt is dependant on the value of the key or go through humongous codebases that a lot of real world systems depend on, patiently looking for that vulnerability that everybody else missed.
And to make it worst, you can't really test for that stuff, because most attack vectors involve interacting with the system in ways that would never occur normally under non-malicious usage.
Its a mean world out there and if putting something important in production doesn't terrify the living daylight out of someone, then they're probably not the right person to manage a production system. It is a beast.