Whenever there is an IT security breach, there have been some kind of vulnerability. It's important to fix vulnerabilities as fast as possible, and it's also important to consider "defence in depth" and make sure the risk of someone being able to abuse a "zero-day" vulnerability is low. Most people have an inbound firewall, but leaves the outbound firewall wide open - most automated attacks can easily be stopped by having a firewall that by default stops all outbound traffic.
I'm quite concerned about the Norwegian mentality nowadays, I read "we couldn't possibly defend ourself against this attack" when someone got unauthorized access to the parliament email system. Commenting on some local new site, I got attacked for "blaming the victim" (I wrote more about that in another post).