This really sounds like more of a "Astros suck at employee off-boarding" problem. They failed to lock out users of the previous system long after they left the company.
Regardless of their weak password storage scheme (which must be fixed), a simple set of changes (like disabling public access to their system, disabling VPN for terminated users, and changing passwords) would have stopped this from ever occurring.
No this was on-boarded employees using the same passwords at their new job that they had used at the old job. I bet the Cardinals were at least savvy enough to disable Luhnow's old accounts.
Regardless of their weak password storage scheme (which must be fixed), a simple set of changes (like disabling public access to their system, disabling VPN for terminated users, and changing passwords) would have stopped this from ever occurring.