Where they went wrong (allegedly) is that the passwords and certs are in the source code repository! zomg!
What they should have done is have puppet/chef/cfengine push out dotfiles so that the passwords and certs are in the role user's environment, and the config files pull it out of there.
Of course, your puppet/chef/cfengine configuration must be versioned and change managed, so that gets checked in to a repository too! Repositories all round!
IMO, this just replaces one source of information leakage with another. Any accidental environment leakage can lead to disclosure of secrets, so you have to scrub it. I've no problem with production config files living in a separate repository, just this "stuff everything in the environment and write complex, hard to read and debug config files that pull it out again".