It's important to note in this "Facebook plain-text password" story that the passwords are being stored with salted scrypt hashes, that's not the issue. Instead, the issue is inadvertent logging of web requests -- which happen to contain clear-text passwords.

2/ The analogy is that Facebook has all the proper locks on the doors -- but somebody left the window open.

3/ It's a common problem that all companies have. It should be one of the first things you audit in your security architecture. Don't simply verify passwords are hashed, also verify with the web team that they don't get logged along with all the other web input.

4/ In addition, look at error logging. You may have properly stripped it from normal web requests, but forgot about stripping it from error messages, which still results in millions of plain text passwords being logged.

5/ It would be wrong thinking Facebook is unusually bad here because it made this mistake. Most organizations have made, or are currently making, this mistake. Facebook is unusually good that they own up to it**

6/ ** Though that's probably due to GDPR that Facebook both discovered this and has owned up to it. It's one of the things GDPR auditors look for nowadays. So it's unusual in the U.S., though I'm not sure it's so unusual in Europe.