So despite the fact that other multiuser systems have been giving local users shell accounts for, oh, thirty years now, without it being a major security hazard, in the hands of Apple, it's a nuclear weapon that must never be entrusted to end-users. That about the size of it?
In an improperly-configured system a user can find ways to break it.
If the guy who started the test specifically gave people accounts to hack a 'plain vanilla' system without doing any of the things that an admin would do to make a system secure from enemies, then what kind of test was it? The same thing would go with a windows system: disable the safeguards and a user can have a holiday with it.
Remember: this is a personal computer operating system; NOT a mainframe system where there is centralized processing - each OS stands-alone and only data is transferred. Tools exist to be used and it's up to responsible administration to oversee that the right tools are available to the right individuals.
In such a 'distributed computing' architecture the security is dependent from machine-to-machine. And just because someone was able to hack a system on which he had a password and access to the right tools doesn't necessarily mean that he could hack a system on which he does NOT have an account (whether or not the tools are available on that unit).
Computer security is a dynamic animal and no OS is invulnerable - especially if someone has 'keyboard access' to the unit (be it in-person, sitting AT the unit; or remotely logged-in to the unit - as was the case with the 30-minute hacker).
even you must admit: it's a whole lot easier to block intrusion by non-users than it is by a user.