They Never Learn
With "old-fashioned" locks (where all the keys are identical), if a key goes astray you have to change all the lock cylinders and issue new keys. It's a pain, for sure, but at least lock cylinders are designed to be changeable for this reason.
With more sophisticated electronic access control systems (where each "key" is unique and some black box containing proprietary electronics about which you know precious little determines which ones are valid), if a key goes astray you can program the system not to allow that key to open the locks.
But with biometric security systems, where the user *is* the key, once somebody manages to bypass the system then the whole thing is undermined. Short of denying the impersonatee access to the facility, you can only introduce additional security layers.
Even using encryption between the fingerprint reader and the controller doesn't necessarily make the system any more secure. If the encryption key never changes, then a previously-intercepted, encrypted message will always decrypt correctly. (Which is why the encryption schemes used on read-only optical discs such as DVDs are no barrier. A bit-by-bit copy can still be correctly decrypted by a player.)
If the encryption key is changed, then there is still a possibility that keys could be intercepted by means of a classical man-in-the-middle attack. Out-of-band key exchange systems (e.g. flash PROMs programmed alike at time of manufacture, one each end of the link, keys chosen at fixed times) are still vulnerable to denial-of-service attacks; and the recovery from such an attack requires placing the system into a known state, which must be assumed vulnerable.
Then there's the Law of Diminishing Returns to consider. At some point, the cost of "access control systems" will begin to outweigh the value of whatever they are supposed to be protecting.
Of course, what with Sophistication being the name of the horse on which Failure rides into town and people always being the weak link, it wouldn't surprise me if someone managed to get into a "secure" facility by means of a simple denial-of-service attack -- crudely lock everyone out of the building so that a fire exit has to get pressed into service as a temporary main entrance, and follow someone in there. Believe it or not, fire exit doors are only rated for a limited number of opening and closing cycles (how many times do you expect a building to go on fire?) after which they are designed to fail safe -- i.e., not shut properly.
And if the fingerprint readers ever become hard to bypass with an actual copy of a genuine print (any good clear print lifted from anywhere inside the controlled area ought to do the necessary), would-be miscreants will simply have to turn their attention elsewhere -- such as the solenoid in the door frame which releases the lock when fed with a suitable voltage from the electronic controller or a portable battery pack; or that old standby, the hinge pins. Or if the doors really are too robust then they might even resort to removing a few bricks, or tunnelling in from below! Nobody has used such methods for years, so hardly any modern security expert is expecting anyone to try them.