The article says that the spreadsheets were protected by a password that the contractor did not initially hand over. So yes, that was a oversight of Siemens.
"Protected" office documents are the rough equivalent of putting up a 'Do Not Enter' sign and are just as trivial to bypass. If anyone had really cared enough to want to see the code, they could have.