The report found:

our review of available test documents provided by the IRS showed that both the CADE and the AMS were deployed with known security vulnerabilities relating to the protection of sensitive data, system access, monitoring of system access, and disaster recovery. These vulnerabilities increase the risks that 1) an unscrupulous person, with little chance of detection, could gain unauthorized access to the vast amount of taxpayer information the IRS processes, and 2) the systems could not be recovered effectively and efficiently during an emergency.

It goes on to say that the vulnerabilities were known but not considered significant.

The Customer Service Executive Steering Committee,4 which has final milestone exit approval, 1) did not provide sufficient oversight to ensure that security controls were implemented, and 2) signed off unconditionally on CADE milestones despite the existence of weaknesses repeatedly reported to the Committee.

To properly balance security and functionality executive managers, not just designer and developers need to understand what they are dealing with. Poor executive oversight on the financial side can ruin a company (or agency) - the same goes for security and IT governance.