A) This is a current or former employee that has an axe to grind with the company or B) this is a nation state hack in order to target one or multiple individuals. Given the sophistication of this attack, my prediction is that this is one of two scenarios. When you are a company in charge of your customers secrets, this cannot happen. No logging and alerting for potential issues.
No baseline enforcement on security on those devices.
These systems have no visibility to IT or IT Security Operations. LastPass has allowed developers to log into the environment through computers which do not belong to them. The problem here is significantly worse than that. I keep seeing snickering and snide comments to the effect of "Those dummies were breached to an old version of Plex." *insert snort laugh".
I am willing to bet that if asked, Plex would not qualify as an "organizationally approved application" in most cases. The problem isn't that Plex was leveraged to compromise the LastPass and obtain the vaults.