...If their site was already secure, why do they need to 'vastly improve' the security?
It sounds like a tacit admition to the sql injection rumors floating around.
The database leak showed that the passwords were not stored particularly securely - so that at least needed to be fixed.
Because a fair amount of the account info is now public - that also forced them to implement extra security features e.g the IP address checking they did for account reclamation.
Also - they said they intended to keep the existing server 'as is' for investigation purposes.
It does seem a possibility that the auditor story is a cover story for an underlying sql injection vulnerability - but I don't see this as a tacit admission
- it's still just speculation as far as I can tell.