The mistakes made have been described thoroughly by Arnis Paršovs if you want to read more, but I want to say that Gemalto is not necessarily the true cause. For example there are known cases of keys being generated outside the smartcard, Gemalto or no Gemalto, you can make grave mistakes when you have flawed processes or rules.