Rob Weis

 It was running on a free version of SharePoint that was outdated, unpatched and living on the DMZ.
And
All the while, it was completely accessible to anybody on the planet if you could get past the basic NT authentication.
And
The intranet contained sensitive data about many government projects.
Your interview only mentions replacing SharePoint w/ Drupal and integrating with Active Directory. Much from the 3 above sentences was never covered/answered.
1. We ended up cleaning up several pages/projects and moved collaboration content to a more restricted audience and off the DMZ. The collaboration piece of the project is currently in beta for us. 
2. We reduced the "need" for login while internally accessing the Portal, unless you are making changes, contributing content, etc. If you are a normal user you can view the Portal without requiring a login.  This significantly made us more efficient compared to the previous system that often times required multiple logins to access some content.
 
Is your Drupal instance living on the DMZ? No, it is on the internal network.
Have you added any additional security mechanisms, processes, or procedures that you didn't have before? Yes, we now require VPN access. Also, we improved our remote office networking to allow them internal access on private lines. We monitor Drupal for updates and perform regular maintenance.
How is Drupal authenticating users? You mentioned the tie in to Active Directory. Is NT authentication still used? I mean, if a badguy has a valid/username password, how has your exposure changed? We are still using AD for authentication. However, we are utilizing VPN technology instead of IIS NT authentication to reduce our exposure. If our VPN was compromised, then yes, it would be an issue for us across multiple systems. However, we took the approach of watching one door closely rather than multiple doors poorly or rarely.
Has data been moved off the intranet? Has Drupal allowed you finer grained access controls? Yes, we have moved chunks of data that was not appropriate for an audience of "everyone" internally. This was part of the cleanup and migration to our collaboration environment. Our collaboration environment allows for very specific access control to the content depending on the sensitivity or requirements.
 
Also - How easy/hard is it to stay current with Drupal updates and security patches given that your company has done so much custom work? So far it's been pretty easy. Drupal allows for custom "modules" to be used instead of modifying "core" in most cases. So, it hasn't been painful to perform updates during our normal patching cycle. We have ran into some issues with updating our collaboration system (open atrium) since we've made a lot more code modifications to it. But, since it's beta for us and for open atrium I expect improvements with this problem over time.