What's the threat model for cookie theft? That if someone gets access to your company hard drive, but not enough access to install a keylogger, then instead of invalidating a session you also have to invalidate the password too?

It's an issue but I wouldn't call it a particularly big issue. I don't think it's very damning for how much the company cares about security.

And it sounds like the turnstiles did work for actual security? Sure, they gave up on per-floor security, but that's a lot less important.

Edit: And if employees are reusing passwords then we should be getting them password managers (or SSO) as the top priority, much more than we worry about logins in cookies inside the building. I mean, there's a point where a single purpose password and a login token become the same thing.