Many of these SPOFs are tolerable because attackers are easy to track down, and those points of failure are not so bad as to destroy the ability of the system to track down and punish attackers. Where things get scary are when this deterrent effect disappears:
1. The attacker might be too powerful to deter, or might be able to make a coordinated attack that would prevent their punishment. A general great-power war would bring down many of these systems in the first few hours.
2. The attacker might be able to avoid detection or identification. This is the bucket most of those security fall under - if an attacker can take advantage of these systems anonymously, there's no deterrent effect.
Cambridge Analytica is a bit of a hybrid case; it was used by powerful probably-state actors for deniable attacks.
1. The attacker might be too powerful to deter, or might be able to make a coordinated attack that would prevent their punishment. A general great-power war would bring down many of these systems in the first few hours.
2. The attacker might be able to avoid detection or identification. This is the bucket most of those security fall under - if an attacker can take advantage of these systems anonymously, there's no deterrent effect.
Cambridge Analytica is a bit of a hybrid case; it was used by powerful probably-state actors for deniable attacks.