More security conscientious setups use things like automatic password vaults requiring multiple admins to access. Sysadmin also doesn't mean defacto data access without forcing them to patch the software maliciously (you don't want your admins accidentally or intentionally accessing data covered under HIPAA!)
Which isn't to say you're incorrect when you say how much damage a junior sysadmin could do in most places. It is to say that there are options that make this kind of thing a lot harder, to limit the scope and damage rogue admins can cause, and to raise the bar in terms of knowledge required. One would hope the NSA would be employing some of them.
One might hope the NSA audits their contractors' security, but I'm not sure I'd bet on it.
And somewhere along the way you have to accept that your most senior admins aren't always going to be the ones schlepping gear around, which means physical access.
I'm also not entirely convinced of the practicality of building a system where there isn't at least one person who can bypass everything, especially if they're prepared to go into exile as this guy was.
Given adequate resources, I'm sure it's possible, but there's gonna be a shitton of money and ridiculously careful planning involved. I expect the operational overhead to be similarly huge.
Which isn't to say you're incorrect when you say how much damage a junior sysadmin could do in most places. It is to say that there are options that make this kind of thing a lot harder, to limit the scope and damage rogue admins can cause, and to raise the bar in terms of knowledge required. One would hope the NSA would be employing some of them.