Right, so not an oversight, but a decision not to touch the obscure system. Decisions with bad outcome aren't oversight unless you want to downplay them when justifying yourself.

Your SMTP gateway is never "that" system that nobody knows about. You must know who owns and manages it, you know you have to secure it (minimal measures like... authentication) so you don't get unceremoniously penetrated. And if you do it you may or may not realize that something will fail because of the extra security.

If you know that "one cobbled together system, or old network MFP" I was mentioning earlier will fail when you enforce authenticated SMTP, because it's too old and replacing it is $$$, or too arcane and bringing an expert is $$$ then you will take an informed decision whether to proceed with your security hardening or not.

If you have no idea something will fail (you didn't catch it in the dry runs) if you enforce authenticated SMTP, you just do it and if someone comes in a frenzy to tell you that the old and arcane system is down then you revert the change. Now on you're in the informed decision scenario from above.

This is not a minor omission. Leaving a glaring insecurity like this open by oversight isn't what the article suggests happened, and it almost never never the case. It's not something that "just happens", it's something that people meet to discuss about and decide to ignore it maybe for reasons that look good at the time. This is the essence of risk taking. But it's a decision nonetheless.