"He didn't breach us the way we wanted him to do it so it was dumb." Idk man, sounds like you locked your doors but left the windows open. That's the point of these things.
The point is really after working through remediations, there were pretty massive issues remaining that weren’t hard to find and were relatively vastly easier to exploit if the attacker is a Russian teen and not Bruce Lee. And the budget for such things was blown. Priorities, etc
"a client that turned out to have been rife with SQL injection" sounds more like they left the doors open, but the report focused on the lack of security bars on the windows.