Read How and Why the Office of Personnel Management (OPM) Got Hit With Maybe the Most Damaging Hack of All Time
Every one of the safeguards you might want has a cost. Using cleared people to manage data is expensive, storing data in encrypted form is expensive, using something stronger than simple passwords to make sure you have identified your users correctly is expensive, and annoying.
Someone, somewhere, decided that they didn't want to spend the money: undoubtedly they had budget constraints.
So the sensitivity of the data wasn't properly identified, passwords were used instead of a stronger scheme, the systems involved had "superuser" or "root" accounts that by definition have access to everything, and the users who had access to those root accounts were Chinese nationals in China, who -- I think we can fairly say -- didn't meet the U.S. government's standards for computer security.
Perhaps the biggest issue of all is that the government had centralized the collection of that data into a single web-based system, e-QIP, which means that all this data was collected in one place.
I would bet money that each of these decisions came down to someone saying: "Oh, that's too hard," "Hiring offshore workers is cheaper," "That's too inconvenient."
At each of those steps, some security was lost because someone decided it was easier to relax the requirements than to get the more expensive and annoying solution. And while the inspector general was calling out the hazards, no one was willing to rock the boat.
We ended up with a situation that everyone understands is really dangerous, but where no one decision can be blamed.