This is fascinating.
The idea of classical security procedures is that you minimise attack surfaces, but also minimise what can be done in the event of a successful hack, and to maximise active detection and elimination of attacks as they take place.
More modern security practices have multiple layers of castle wall for things that don't actually need direct access.
In order for an attack that results in remote access to succeed, you need a minimum of three different security failings. Depending on what level of access was achieved, and the level of network segment isolation, it can take six of seven failings.
In practice, operations take shortcuts, so it's rare you get to quite that degree.
Regardless of how many layers there were, a breech of security requires problems in far more than just an application. I'd want to know what the additional failings were.