They got past Facebook's security, ergo Facebook has a security problem. The fact they used the clever technique of breaking into the security manager's home network is neither here nor there. This could have been fixed by, for example, requiring the engineer access any admin systems via a VPN or other secure tunnel (or only on-site)† and ensuring he doesn't use the same password for admin functions as anything else. Both of these are simple, straightforward, best practice security measures, so it's fair to say Facebook's security is bad.

† It isn't clear whether he accessed work-related stuff from home or not; it may just have been he reused a password between his internet accounts and his facebook roles.