There's another important factor in the paranoia about data breaches and risk that's often VERY overlooked.
As part of the chain of responsibility, the CIO community (the individual CIOs at the 11 NASA centers, and the federal CIOs in general) are very risk-averse. Why might that be? Well, in addition to the normal slamming your agency has to endure if there's a data/privacy breach, the CIOs and decision makers may also be civilly or criminally liable for negligence if it can be shown that they were permitting workplace practices that went against federal regulations. A few CIOs that I know are actually carrying personal liability insurance (out of their own pockets) to cover themselves in case such accusations are leveled.
Now, imagine you're the person tasked with pushing the envelope technologically (Hey, it's what NASA does) but the only thing your bosses ever remind you of is that it's your ass on the line if anything is ever breached, inappropriately stored or transmitted, etc -- and that fines and jail time aren't out of the question. That's enough to make someone pretty risk-averse!