Wow, thats pretty staggering. I'm sure I read an article (maybe just a tweet) by Andreas Antonopoulos stating that by complying to KYC/AML that they left themselves more vulnerable to this hack.
The issue comes into play that Bitfinex owned the private keys of all wallets in their possession, and the winners of positions were shown an accounting ledger through Bitfinex as opposed to having possession of their own coins. Now I can not pretend I know what happened behind the scenes with the back and forth between Bitfinex and the CFTC, but I can say that based on all evidence, Bitfinex was unable to pay out all positions within the required 28 day period. Verbiage within the original CFTC complaint suggests that the primary cause of this was Bitfinex's accounting system that was at fault.
Bitfinex could have moved to a cold storage system to make the bulk of their bitcoins secure, but doing so would have required them to register as a futures merchant and submit to additional auditing (which makes perfect sense, you can't expect to dump people's money into a shared pool only you have the books for). They chose to remain unregistered and use their multi-sig hot wallet system because the on chain transaction is enough for "proof of delivery". I'm sure someone could argue that qualifies as "The CFTC forced them to act insecurely", but Bitfinex gets zero sympathy from me for doing shit they profited from at the expense of their customers, while taking money from customers to socialize the loss.