A laptop being stolen from somebody's home isn't in itself a fault in the Council's IT security procedures. A person's home is a perfectly reasonable place for a business laptop to be. The fact that the sensitive information on the machine wasn't encrypted is obviously a serious failing as far as IT
Your other example is a classic example of someone slavishly adhering to a set procedure (one that's required by law) without seeing the full picture. It's the kind of thing that happens a lot.