VPNs vulnerable to MiTM because ANY certificate goes
Short answer:
Nope, can't be done. This is because a reputable Certificate Authority will not issue a certificate for a domain that your sysadmin does not control.
Long answer:
It can be done under some scenarios.
For example - if you're using OpenVPN to create a TLS connection to a VPN concentrator elsewhere in the world called...say...awesomevpn.sx, one of the first steps in the TLS handshake is server certificate validation. Your sysadmin could attempt to MITM this connection, but he would not be able to present a certificate for awesomevpn.sx because no CA will issue it to him, which would cause the connection to fail.
However, consider a scenario where a company has contracted a vendor to install packet inspection appliances. In order to perform MITM attacks on secure connections, the vendors will compel the installation of their own "root" certs onto client machines. That way, they can use their own CA to sign certificates for any domain. This can be done on the fly by the inspection appliances. When those certificates are presented to the client during the MITM sequence, they will be accepted, allowing the connection to complete, and the packets to be inspected in the clear.
This sounds like a weakness of the CA system, but remember that in a corporate environment, you do not have physical control over the machines owned by the company. Without physical control, it's game over in terms of security.
So the explanation you've been given is missing a key point - they did not mention the requirement to install their own root certs on client machines. It has nothing to do with a weakness in the VPN clients, or the various protocols used for secure connections.
You might want to read this piece on the Gibson Research Corporation site: The “S” added to the end of the “HTTP” means SECURE. (Or at least it was supposed to.)
The presence of the unbroken key or the lock icon on the web browser once meant that the connection between the user and the remote web server was authenticated, secured, encrypted . . . and not susceptible to any form of eavesdropping by any third party. Unfortunately, that is no longer always true.
And
How is this elegant system [cfr. CA-system] subverted?
Any corporation, educational institution, or other Internet connectivity provider who wishes to monitor every Internet action of its employees, students or users — every private user ID & password of every social networking or banking site they visit, their medical records, all “secure” eMail . . . EVERYTHING — simply arranges to add one additional “Pseudo Certificate Authority” to their users' browsers or computers. It's that simple.