i think the facts of the matter are that a gmail vulnerability is on the very low likelihood kind of event. they wouldn't burn their insanely valuable vulnerability on showing how much of a fratboy kash is. the most likely possibility is that he either clicked on something dumb and gave access through phishing(really bad) or had a really weak password without 2fa(also really bad).

are you suggesting the former is not a demonstration of a shocking lack of competency?

Did the director have his email on a vulnerable server? Yes. Yes he did.

He should have known better.