I’m not surprised in the slightest. The politicians and managers in charge of said gov systems are usually of an age that have no idea the basics of how technology works, let alone infosec importance. It’s then contracted out to the lowest bidder on deadlines that wouldn’t permit proper hardening anyways. It’s not even a US specific issue, Australians deal with this dumb fuckery regularly.

Then you get some piss poor public apology, someone gets thrown under a bus, and the cycle repeats ad infinatum.

Iirc: It’s because the government contracting is an arcane bureaucratic nightmare of a process that benefits firms who’s business model focuses on navigating the system over firms that focus on performing competent work.

Reminds me of big corporations, most of the time. My personal identification has been leaked or compromised by dozens of companies - some multiple times.

People also tend to underestimate the scope of something as large as the government. The US government is not just the biggest employer in the US, but is the largest by almost a factor of 2 (2.9M to WalMart’s 1.6M). It’s been around longer than basically any corporation in America, and was often on the cutting edge of IT, which means the number of legacy systems involved in anything is an order of magnitude larger than any private entity. Throw on the pile that many government systems are consider life or safety critical and cannot be taken offline very frequently for maintenance (ATC, military, food and health services, etc) and that they are often delicately intertwined with other systems (gotta make IRS talk to BLM for ranchers, for example) and the “simple” process of upgrading becomes a quagmire very quickly.

Not to mention that the US has a fixed scale of pay, and the IT salaries you see at most large tech firms would not be tenable to the governments bill payers (aka you and me, as represented by 535 men and women who need to be re-elected every 2/6 years).