Lack of MFA, lack of hardware whitelisting, servers exposed directly to the Internet, lack of user privilege restrictions, allowing passwords that are known-compromised, ...
If so, it doesn't make sense to blame Putin. The blame lies on US lawmakers, for not incentivizing US businesses to have a budget for fixing these sorts of issues. For example, when companies such as Equifax are hacked because of poor security practices do they pay a penalty? No. That's the problem.