The company just has to actually care about the security of peripheral systems like this that aren't directly a part of their product offering. Okta has more than sufficiently smart admins who can prevent session tokens from being stolen, but I'm willing to bet their attention is devoted 95% at least to Okta itself and not their external help desk that they probably don't even run themselves. Attackers will always find your weakest link, whatever you think is too insignificant to devote effort to.