Some Observations
1. The pretty easy one that just as Bush &Co. could claim they were mislead about WMD in Iraq by the CIA & FBI, so apparently the DHS is allowed to fob off gaping holes in it's systems on someone else. Thus: perhaps we ought to hold the executors of policy responsible for the execution of policy, not merely it's enunciation.
2. Outsourcing is an excellent way to occult the facts. Outsource less savoury military, paramilitary and spy activities in Iraq to private contractors (mercenaries): the details can be hidden behind privacy laws and contractual obligations - obscuring that the gov't had a responsibility for the conduct of the war; outsource DHS IT and leaks can be blamed on the contractor not the DHS - obscuring that the DHS has a responsibility to ensure data security. In both cases the idea that one can trust the contractor without oversight is implicit, but that don't make it so.
3. WRT specifically the DHS, though the managers of that organization to have the authority to outsource the IT, they are still responsible for ensuring the IT operation is clean - whether contractors or employees do the work. There is an attempt to lay the blame and the cost elsewhere, protecting the people who run DHS and failed to ensure data security. This is much the same technique Bush & Co. have used to duck the responsibility for starting the Iraq war - apparently shoddy auditing followed by bare faced claims that "it was them, not us". Not have good auditing is a failure of duty by the people who run DHS, and they should be held to account.
My, hopefully even toned, $0.02.