This was more of a #reckless than a "No keys no cheese" situation.

Affected users had their keys. The issue was that they delegated those keys to an algorithm that automates signing. A bug in the algorithm allowed attackers to "trick" the software into signing wallet draining transactions.

Only delegate signing to audited or time tested code. Or mitigate loss by only delegating keys with minimal funds.