No. This shows that Facebook has no robust security model at all.
Either they do not have any mandatory access control for private data, or someone approved of circumventing such access control measures for this feature.
Both is in my opinion inacceptable for a company holding so much potentially sensitive data.
One example of a hole does not make a bucket into a sieve.
For a company of FBs size and personal data contents, I agree, they have a rather scary track record. But saying <symptom of X> implies <X> is fallacious, especially when it's also a symptom of <AAA> through <ZZZ>.