After working in the Banking world and talking with IT from a lot of other institutions, hell, I'd even take people making the decisions actually being semi-competent in security as a major win.

Given that their way around the other machines was through storing SSH keys on the web server, it isn't going to help much here.

To quote Gary McGraw, "All the magic crypto fairy dust in the world won't make you secure."

What has this got to do with public-key cryptography?

Properly implemented pub-key crypto would make it so much of the loot from these attacks was unreadable. Of course, if people store unencrypted secret keys on vulnerable servers, or just use one key to encrypt for everyone in the company, or something like that, it's not that useful.