In the discussion of sudo -- having "PASSWD: ALL, NOPASSWD: /bin/dd" is effectively "NOPASSWD: ALL". The legitimate user will have to enter his password for other commands in a semblance of security, but an attacker who compromised his account can bypass that. Consider the following (with /sbin/route also in NOPASSWD):

  sudo /bin/dd if=/path/to/anything of=/sbin/route
  sudo /sbin/route # pwned!

So I can now run ANY program without a password. If you like, throw in a few more dd commands to backup/restore the abused command (route).

He also has /sbin/insmod in NOPASSWD, which is another "get out of jail free" card. If I can load a kernel module, I can do anything.