There is a significant difference in the relationship between Bitcoin Central and its costumers as opposed to Instawallet and its costumers. Bitcoin Central did have an authentication system, which did provide their costumers with more protection. In the end Instawallet users lost their bitcoin to a database hack, BTCentral was just running on the same servers. Many users made a well-reasoned decision to stay away from Instawallet and still used BTCentral.
We do not know anything about how the hack was done. You do not know whether the authentication played any role in this hack. It is not like the lack of wallet authentication on Instawallet gave anybody instant and full access to the underlying database and server root.
Let me just write out one possible scenario out from millions of other possibilities. Maybe the flaw that the attackers used to get access to the shared server and instawallet database was originally on bitcoin-central side and it was bitcoin-central that was hacked first. It is also possible that hot-wallet funds and database from both services were lost, it just makes more sense for them to admit one loss of funds instead of two and pour everything on Instawallet users to bear.
If you see some entity running a service with glaring security holes, it does not make sense just to avoid that poor service, it makes equal sense to avoid all the services of this entity. If you are able to spot one glaring hole, there can reasonably be expected to be a hundred other holes you just have not noticed yet from the outside and those hundred holes can be assumed to be equally on all the services that this sloppy and uncaring entity is developing SW for. It is not likely to assume that some entity can generate perfect code for one site and then switch hats to develop pisspoor code for another one. They could all be assumed to be equally pisspoor quality.
As an Instawallet user and not a BC user I would love to agree with out, but I have to note that Instawallet was up-front about the modest security (even by the dismal standards I've come to expect from Bitcoin related enterprises) and they warned against keeping anything but spare change there. At least it did when I created an account. That should not give them license to steal from Instwallet users, of course, but it is as you say, only one possibility among millions that that is how things happened and there is no general understanding of the events at this point.
One of the more possible explanations is that it was an inside job by an employee of some sort (perhaps like the Mt. Gox deal.) Again, if they really have involved law enforcement that stuff will probably come out in the wash. It would be very interesting to get independent confirmation that law enforcement was or was not solicited to help with the issue(s). That would be as meaningful as anything, and fairly legitimate given that the enterprise was bragging about working with a mainstream bank.