You'd imagine, but this conference software apparently only requires a pin that's visible as a GET parameter in the URL. I don't think you can blame the users for posting a screen shot.
In this case, you can blame the user. They are the minister of defense, they can (and should) request an audit for the conference system they use. Personally, I think that they didn't want a more secure system like 2FA because it's not convenient for them.
Zoom introduced meeting passwords a few months ago after similar issues to prevent randos joining meetings by guessing short meeting IDs. But there's a tradeoff between security and usability so they accept passwords as a param in URL, which for 95% cases is a good tradeoff (for example Outlook Zoom plugin generates the URL with password directly in meeting invites). Most people don't live-share their super secret in-progress meeting IDs and passwords on Twitter. Probably more people share their CC number or boarding passes on instagram each day.
However what Zoom and other conf tools could do is that they could read the password from the URL and then use `history.pushState()` DOM API to replace the URL and erase the password once the meeting is launched.
Downside would be though users wouldn't be able anymore to just copy the URL from browser's URL bar and send to other people to join.
