- OpSec failure to use an insecure non-DoD channel to communicate military operational status. Doesn't matter if it's signal, SMS, Slack or anything.
- Signal specifically is e2e encrypted without retention, in fact a first class feature to delete messages after some time. This bypasses legal requirements for record retention. Even if an "approved" DoD channel was used, the deletion of communications is a massive, massive scandal.
As others have noted, specifically Signal has a special bulletin due to exploits by Russian actors. This is a big infosec story proceeding in real time. The Hegseth / Yemeni / Goldberg angle is a small facet of it, and possibly least important.