The author did not claim anybody can expect or provide 100% security. The write-up was (among other things) about something more important - how do companies respond when presented with an important security issue. 37signals responded fairly poorly and that's useful information. Interestingly, this is not the first report of a somewhat strange attitude they seem to have regarding possible exploits -

http://evilpacket.net/2009/jul/9/basecamp-one-wrong-click/