I think it is really apparent even before this that SR doesn't know that much about running a hardened server or writing security critical code. Thing is people should be managing their own security and not care if the server is compromised, so does it really matter? Also he knows enough to configure a tor hidden service and he is using linux, so it probably isn't a horrible failure security wise.