"I also have some empathy for the task of protecting a large university, inherently full of BYOD, from a determined attack. Virtually impossible."
While protecting against every possible attack is, as you say, virtually impossible, being aware of your critical systems and protecting them via best practices should have both limited the impact (if not prevented it entirely) and reduced the time the attackers had to cause mischief.
This isn't a unique organisation - there are thousands of universities all over the world providing this type of access, and many more organisations providing similar levels of access. While other organisations do get compromised, they rarely get compromised twice in the space of 12 months with the second compromise getting significantly more data.
If cost is the key issue, requiring higher levels of device control (i.e. ACL's/host-based firewalls to limit access to key systems, and force all other access via SSLVPN from untrusted parts of the network with IDS/IPS/NAC tools to enforce compliance and spot unusual traffic early. All of this can be done with open source tools and a little reading or with off-the-shelf products at a higher cost). From there, start cleaning up the rest of the network to make more of it "safe" - use network scanners to find forgotten servers, update/patch older equipment, set standards that are enforced so that 10+ year old FTP servers sit around unpatched etc.
Biting the hand that feeds IT
