Given they never picked up on common out-of-band management and boot loader hardware & associated software installed on the machine by the manufacturer their audit (as well as pre-purchase/rental) policy must be completely lacking and not fit for purpose.
When it comes to large data centres, getting inside to perform your own security audit may not exactly be an easy thing, and keeping someone onsite 24/7 to make sure there's no future issues?
One would expect that data centres, given the high level of trust placed in them and the "never again" many of their customers will choose should they be found to screw up, would put in plenty of decent practices themselves and alert their customers to any potential risks (eg leaving a management tool running when it should be closed down).
I suspect a bit of fail all round, but that the data centre company aren't crying foul at the early termination of contract - either Nord weren't at fault for the breach, or Nord were a bit of a pain to deal with the the DC are glad to be shot of them.
If Nord is true to their claims of changing the way they build their servers to prevent such problems, and are true to their claims of no data logging and vpn chains etc, then even with such a breach they're not likely to expose that important data their customers use.
(I will have to contact them about that bug bounty though, I have something in mind I think should be fixed)