Control is an illusion, if the folks at RSA can be spearfished and have their most valuable assets stolen basically anyone can. People are fallible and the bad guys only need one successful attack while the good guys need to defend perfectly. We run a relatively tight shop, no local admin, patches up to date, AV/Antispam on the email gateways, AV and Antimalware on the desktop, IDS/IPS in the firewall with additional IDS by spanning the vlans going to our firewall and the server vlan. What we've found is that we still end up with ~1% of our clients managing to get some kind of infection or infection attempt per month (the attempts are generally where an exploit of some kind succeeded but the payload was stopped by one of the defense layers from actually becoming persistent on the client).
As far as the point from the article, we're moving to have as many of our cloud apps as possible use our SAML repository for authentication so that we can treat it as much as possible like an extension of our general security stance with password attempt monitoring, rate throttling and attack blocking, user lockout, etc. It doesn't help if the service itself is breached, but it at least stops the more casual authorized user leaks that seem to be one of the more common failures identified.