"For one thing, a web server was run on the same machine (or at least same IP address) as one of the authoritative name server for nsa.gov. Secondly the primary and secondary authoritative name servers are both downstream from the same Qwest edge access router in Washington DC, instead of being properly separated."

The first is fine - you can run an http server on a DNS machine if you like.

And can you share an IP with another machine? I don't think so, not really, say the DNS is running behind a NAT the external IP would be the same but the actual final IP numbers would be different.

The second, well you could argue redundancy to another continent, planet :) etc, but it is just the level of redundancy and it is not a requirement.

I agree, the NSA should probably use extra precaution, but the above is just a matter of preference and in some instances following that advice may introduce other vulnerability.

And nsa.gov is just a PR area for the agency, they would be crazy to run day to day security services through that domain. This is newsworthy, in an ironic way, but I doubt much has been compromised.