My understanding is that they used the £500k they said the hack cost to plug the security holes. In an interview I saw a while ago it basically said he walked in through the front door, the "Administrator" account did not have a password and the computers in question were accessible remotely.

Edit: A perl script he had scanned for computers with default passwords: https://en.wikipedia.org/wiki/Gary_McKinnon#Statements_to_th...