"That's right, but consider they should have also revoked all the access for the remote devices"
Ideally the device substitution would have been spotted, but I think that one would have got past most corporate checks I have seen. What this relies on is that the user also needs to authenticate.
The main failing here is that he was able to know another users admin credentials - and they were not changed
WiFi is not always the only way in. I have been able to plug an Ethernet cable into the back of an IP phone in a (bank's !!) reception area and meeting rooms before and get access to the corporate LAN...