Who watches the watchers? The same people that like to tell us there are checks and balances in place to prevent domestic spying? What makes you believe every device has an audit trail - or that every login is recorded?
Think of it this way, if a system was created in the 90's or 00's (On, for example, Solaris, or various flavors of UNIX) and still works perfectly fine, would you replace it? Would you disable things like RSH? Harden NIS / NFS and friends - there's a very long list of exploitable software. Or would you just do your best on the technical side and simply trust that the people you give positive vetted TS security clearances to are not going to do what Snowden did?
It's entirely conceivable that the NSA truly has no clue what the man had access to, and maybe never will.