According to Jono Bacon at Ubuntu:

a) the servers, especially zambezi were running an incredible
amount of web software (over 15 packages[1] that we recognised)
and
of all the ones where it's trivial to determine a version, they
were without exception out-of-date and missing security patches.
An attacker could have gotten a shell through almost any of
these sites.

b) FTP (not sftp, without SSL) was being used to access the
machines, so an attacker (in the right place) could also have
gotten access by sniffing the clear-text passwords.

c) The servers have not been upgraded past breezy due to problems
with the network card and later kernels. This probably allowed
the attacker to gain root.

Referring to a), he goes on to say:

Unfortunately it's simply not possible for us to maintain that amount of software in any sane or secure fashion.

The more software we have, the more we have to manage. Admin tools can help but an even better option is getting rid of applications. An attacker can not compromise what isn't on the machine.

Problem c) is a balancing act. There are always dependencies between components so what do you do when there is a conflict between an patch and the existing configuration? We can change the existing configuration but that introduces the possibility of even more conflicts and ripple effects that require further changes. If you have a few hours to apply a patch and find out it will take 3 days and a piece of new hardware what do you do? You turn into an instant risk manager.

At this point we have to weigh risks and costs and hope you make the right decision, that is assuming there is one.