In my estimation, if their system was decently designed, instead of granting anyone access to everything, nobody should have been granted access to anything if there is an authentication problem. Can you possibly imagine a worse system than they currently use (that still attempts to provide security)?

How do you know what they "currently used"? Do you really think their authentication really defaults to "yes" still?

Depends on what you keep in there. For a lot of people, losing access to their documents would probably be worse than the (very small) risk of someone else seeing them.

But anyway I don't think a discussion of Dropbox's security model is very germane here.

the security bug was a lack of authentication that rendered Dropbox nearly useless for its core purpose of securely storing files, that got pushed to production and _stayed there for multiple hours_.

giving Dropbox some guff for it is completely reasonable.