Building a successful security organization is very easy, it just starts higher up the food chain than whatever experts you hire to do it. Security is a cultural practice, it's not a feature, it's not a bolt-on. To the extent that your security organization influences and receives buy-in from your corporate culture, becoming a part of your organization's identity, it will be successful.
I think this is key. If you don't have a good security culture, where people understand and have ingrained proper security practices, you're toast, no matter who else you hire.
Google has good security practices, can implement those in any big corp as they are very straightforward. Mudge previously worked at Google so I'd assume he was hired to help Twitter security get better by implementing some practices from Google. But maybe he was just hired to look like Twitter cared and they didn't really want to change anything.
Google also has a very good ingrained security culture. They understand that they hold on to people's most private and critical data, and rock-solid security has to be a cornerstone of their business.