I agree that it could and should have been prevented. Nomad even had an auditor look into their codebase and point out to them the issue. The audit itself literally has "acknowledged" next to the vulnerability, yet it was ignored.

I guess nobody thought that they would mistakenly add 0x00 as an acceptable root when the contract was initiated. Even auditors missed that.