Very little surprises me now.
But that I am forbid
To tell the secrets of my prison-house,
I could a tale unfold whose lightest word
Would harrow up thy soul, freeze thy young blood,
Make thy two eyes, like stars, start from their spheres,
Thy knotted and combined locks to part
And each particular hair to stand on end,
Like quills upon the fretful porpentine:
But this eternal blazon must not be
To ears of flesh and blood.
No doubt OPM made some mistakes. Yet I know what they were up against. One in couple of hundred users will click on the email from the lovely, lonely Russian girl looking for a friend. One in perhaps one hundred and fifty will click on the email with a link to log in and increase his email storage quota. Maybe one in one hundred will click on the browser pop-up that appears to be for upgrading Internet Explorer or the computer's anti-virus software. A few more will open an Acrobat file or Word Document coming from an official-looking but hostile source. And then the fun begins.
You can guard against this in some ways. You can install a web filter that blocks access to notoriously dangerous sites. You can make use of the improved security in Windows 7 and later, requiring privilege escalation to install software or open certain files that have arrived by email. But if the users can't increase their privileges, they will complain. If they can, allowing privilege escalation will become so routine that it is automatic for them. Every such safeguard you introduce gets in the way of doing something that users want to do, at least some of which is in their job descriptions. If you make it sufficiently difficult, they will do what they want to do on their own computers, almost certainly using credentials for your systems.
You can classify action and object privileges very finely, and prove that malicious actions contrived by a particular attack will be limited in their effect. The National Security Agency (NSA) developed "SELinux", which does a good job of this, so good that I have spent days looking at logs and figuring out how to make certain programs work with it. You can, as NSA did, compartmentalize access to different pieces of data to make intrusion limited in effect and quickly detected. But then you may well hire sysadmins who share their credentials, because a trustworthy guy like Edward Snowden said that he needed them.
In Further Cuttings from Cruiskeen Lawn, Flann O'Brien, setting out the differences between the Dublin Man (disillusioned) and the Irish Man (not), says "Dublin Man rarely permits himself a laugh but the word 'idealist' will always get one." I don't laugh when I hear "computer security", but I might permit myself a pained smile that you can almost tell from a wince.