It would be interesting to see the insert and update pages they were able to access. Perhaps you don't have the security code properly applied.
Another possibility is that the person had a username and password and was able to log in. Security Assist will help make it so that login is required, but if someone has login information it won't help.
Sometimes a SQL injection hole on the site front end can allow someone to get username and password information they can use to log in on the back end... but how would they even find your admin section?
If you have SecurityAssist properly applied, then the only way to get to those pages is to log in. So you should probably be trying to figure out how they got that login information and I'd say a sql injection hole is the most likely place.