As they have now done, they could have reduced the threat exposure by requiring 2FA to join the organisation, and using a password pattern scheme does expose you to a targeted attack so ideally encouraging password manager generated passwords is probably also recommended.
But Github could probably have helped by detecting logins from unusual IPs for that user - i.e. a login attempt from an IP they haven't logged in from before, and required something like email verification too. Although if they were using an easy to guess pattern, then likely the admins email could have been compromised too.
Edit: GitHub could also warn people whose accounts have admin access to organisations if they don't have 2FA enabled.
But Github could probably have helped by detecting logins from unusual IPs for that user - i.e. a login attempt from an IP they haven't logged in from before, and required something like email verification too. Although if they were using an easy to guess pattern, then likely the admins email could have been compromised too.
Edit: GitHub could also warn people whose accounts have admin access to organisations if they don't have 2FA enabled.