The bitfinex hack in 2016 was a special beast:
They were not using the typical hot/cold storage setup most exchanges use but rather had a novel wallet setup where each user had their own separate multisig wallet, both bitfinex and bitgo held keys and in some cases so did users.
The setup was not designed with security in mind, but rather with regulatory arbitrage in mind: at the time bitfinex was fighting with the US Gov about their lack of financial compliance and this was an attempt to say "we do not hold customer funds so we do not have to comply."
