Or an alternate headline: "US government continues to have lax security"
If the US government hires Moe, Larry, and Curly to move a box of documents, and it falls off the truck, and someone steals the box, should we be aghast at the thief or the government? Microsoft had multiple vulnerabilities and did not adequately protect its signining keys. While MS will spin this as a "sophisticated attack," was it really or did they just forget to close the truck door? By the same token, the government seems happy to put its email on a commercial cloud service. I haven't had a look at the full details, but this does seem to have been a lateral attack. Regardless, at some level, diligence may have been lacking.