Sure, it sounds like they did .. and it also sounds like this super awesome system had a gaping hole that admin could become anybody else and then just read it, because that user has access
Not the way I read it, sounds to me like as soon as he had access to their user accounts he had access to all the files in plain text, no metion of breaking encryption anywhere.
And then that's going to be the failure point in your system -- all it takes is one guy who writes his password down, and the whole thing is screwed.
I'm not crypto expert, but let's do a thought experiment.
Let's say that I've got a bunch of people, and 3 levels of security.
So, if we want all of the people (all of whom have the lowest level of security for sake of argument) to have access, we get one of two scenarios. You have a single decryption key they all share, and the first person to accidentally leak it screws it up for everyone. Or, you have to build a crypto system which will allow the same information to be decrypted using multiple decryption keys -- and my first thought is the more different ways you can decrypt the more likely it is that someone can break into it by crafting a key which also works because it's no longer unique.
Same goes the other way ... does the decryption for the most secure level also open up all of the low-level stuff? In which case, you can narrow your targets down to just the ones with the most permissive key. Because those give you the keys for absolutely everything.
You could try to have a broker which authenticates you, and from there grabs the key it will need to decrypt and then use that .. but then your broker becomes the target because it's got access to everything.
And, you'll probably have corner cases in which generally someone is only allowed the lowest level of access, but for specific things you can get 'read in' on stuff that needs you to escalate your access -- but *only* for that and nothing else. You could also have cases where you have a second group of documents in the "highest access possible" category not accessible to everyone at that level -- say, the OPR at the FBI where you might be investigating the top people and need to keep that secret from them.
I'm sure there's been literally volumes written on this, by people who have far more qualifications than I on the topic. But in general, I think the whole problem of guaranteeing only authorized users can ever access something at a given time is a hard problem. Because the more permutations on what you're trying to do, and the more people involved in it, the more places where there could be gaps.
Any security system will have holes but it would have been a whole lot harder for Snowden to get hold of the information he did if he had to loiter around peoples offices which he probably had no business being in( read plausible excuse) searching below desks for handy post-its, that or find an accomplice that had the correct encrytion codes. So I agree that no system is completely secure, but they certainly can be more secure.