Legislation (or at least policy) always has to play catch-up.
As an example, I was once actually quite vociferous in ensuring that the (then quite fledgling) wifi technology should never be added to my company's network infrastructure, due to the nature of the corporate data that could be available (with a little effort, but somewhat less than also having to enter the building and finding a suitably-wired RJ45 outlet/cable in a meeting room, which was the accepted place for guest/visitor equipment to latch on). In hindsight, this was overkill (though WEP/authentication/etc was a bit primative and would not have necessarily have stopped an "insider outside" attack). But this was in light of people (regular desk-drones) contemplating bringing in their own wifi routers and tapping them into their own desk-outlets for... I forget why, because this was pre 'tablets', so maybe just company laptops needing one less cable (already provided) when sat for the whole day next to their parmanent desktop machine.... Well, aside from all the other issues we had to think about (yes, including the two reasons to protect against data on the laptops going missing), I felt that it was not worth the hassle, but I did do regular promiscuous wifi sweeps with a to make sure nobody had snuck anything into the area (and I think found a couple, though not sure my sweeps were foolproof) with a PenTest/Kali-like setup, as well as inserted strong "think hard before you allow this" statements into the Change Control guidances for the company.
A year or three or five after I left that company, I (somehow... can't imagine I had my laptop on me... my first Android tablet, perhaps?) had a chance to pass by their building and checked... They were broadcasting a corporate hotspot (seen a fair way away... and clearly corporate-branded, which I also would have railed against for obvious reasons, but...) so had clearly adopted the (now more mature) technology for the conveniences it held. Probably fully shored up with transmission authentication, server-mediated "lan-within-the-lan"/"internet tunnelling"/blah-de-blah, time-limited guest access codes, etc, though I didn't try to pentest beyond seeing what the 'front end' was that I could connect to.
But at least it wasn't the free-for-all that it could have been (and reportedly often was) in the early naive days. And whether or not the Clinton server was more vulnerable than it should have heen (by some arguments) and/or too personally secretive to hide the business of the government from the government (by others), it was clear to me that it was a 'bolt on' solution that may not have used exactly the right degree of paranoia in its application, for the developing case-use that it was. Only a huge problem if it was significantly adrift (in how it was used/had to be used) without competent back-room updates/tweaks/etc keeping pace with (or a step ahead of, where possible) the capabilities of 'the bad guys'. And I can't tell you you well or badly they did that.
As a person responsible for various aspects of network security, I always felt uncomfortable that I was basically able to do anything to the network under my control (and, should I so wish, I could have rewritten aspects of the local archives too, and even gradually altered the off-site storage versions under the guise of normal operations) so my biggest concern for Clinton's setup was more whether those who maintained the corporate hardware outwith the auspices of the government were fully screened, or at least none were bad actors who found themselves with unprecedented access way beyond any nominal security clearance level they should have needed. (Not that it being an in-house government operation would necessarily have been any better. Economies of scale and the lack of expertise could make the latter very much an Amateur Hour attempt, when the outsourced resource probably at least benefitted from business-levels of good repute.)
But, the initial point is, we saw Obama having to ditch his Blackberry, in light of realisation of security concerns (yet Trump seemed to always have a 'smart' phone at hand, unsure what mitigations the adults in the room made him adhere to) and government data has probably flowed across more corporate systems than merely Hillary's, the question is how much (and how strong) the encapsulation is in everything from one-time file encryption through to multi-wrapped VPNing to keep the contents (or the mere fact of a transmission from A to B) secure from your country's enemies/not-entirely-friends. It can't be all done at the famed NSA levels of encryption, obfuscation and/or misdirection. And time will maybe tell whether worse issues of security have already happened but not yet heen made known (or even internally discovered).
/awaits news that George Washington once dropped an unsecured USB key in a tavern...