He couldn't even secure his own campaign's - brand new - webservers, with the result I (and presumably many others) received spam sent through his unsecured mailer CGI. His campaign wasn't bound by Congressional oversight, Inspector-General audits or anything of the sort, and didn't even have multi-year-old legacy systems to integrate, just their own web content. I suspect his team was just too seduced by "ooh, shiny!" syndrome, plugging their stuff into Facebook, Twitter and whatever else they could find, rather than tending to the basics of running the website competently.
I don't think yet another "czar" would help, though. Proper, fully authorised and monitored, pen-testing (maybe by DHS or the NSA, they should know a thing or two about it) with published reports ("name and shame") and deadlines for vulnerabilities to be patched, perhaps.
That or just take the shiny toys away from the departments which can't be trusted with them. Did his campaign really need a ready-made spambot backdoor for people to email each other with, rather than using a proper email client like everyone else? How many more unsecured CGIs (or equivalent) are lurking out there on .gov servers waiting to be exploited, which could just be deleted without anyone really losing out?