I would also like to add that over the past ten years, "security" has gotten much much tighter at NASA. NASA has many roles that involve interfacing with the industrial community, the scientific community, and the public community at large. It is often difficult to reconcile those roles with the additional goal of "more security!" In fact, in the interests of blanket security, I would say that NASA's ability to interact with communities, and lead through good example, have been partially stifled in the name of security.
Another thing to mention is that often-times, large institutions like NASA are dealing with legacy systems that do not have the latest security. The common knee-jerk reaction is to say, "just upgrade it!" But the reality is that there can be knock-on effects that prevent upgrading or make it cost-prohibitive. Critical systems that have been running for years often do not have the funds or staff expertise to execute a major upgrade. But as I said, this is a problem with most large institutions, it's just that "NASA" in the title of an article makes it higher profile.
This post has my personal opinions only.