23AndMe had “inadequate” security systems and was “slow to respond” to warning signs customers’ sensitive data was at risk before the “profoundly damaging” hack, officials say.