Sophistication won't protect you from dumb
There is little doubt at this point, given the access to enough resources and the will, any network can be hacked,.
However, the breach you describe at the OPM that cost Katherine Archuleta her job, and is also the case for most of the high profile hacks we have seen in the headlines over the past 2 years speciifcally, have all resulted from non existent or insufficient management of privlieged user and privlieged service accounts.
Giving root access, to government databases, to a thrid party provider, in a foriegn country....that's just dumb.
It's akin to buidling a castle with huge walls, a moat, and even adding some boiling oil , all the "sophistication" in the world...but failing to raise the drawbridge before a battle.
Are you really surprised when it gets ransacked? Seriously?
A simple , least privlieged approach or using role based access controls to manage priliveged users and privileged accounts would have prevented this "type" of breach.
Sure, the credentials could have been exploited eventually, given the time, but not putting up a first line of defense over your most potential catstrophic vulnerbaility, leaves me dumfounded to know...what big picture are these IT leaders looking at?