Memory safety is just a small part of infrastructure resilience. Rust doesn’t protect you from phishing attacks. Rust doesn’t protect you from weak passwords. Rust doesn’t protect you from network misconfiguration. (For that matter, Rust doesn’t protect you from some group of twenty-year old assholes installing their own servers inside your network, like you say.) Protecting your estate is not just about a programming language.

“Infrastructure”, to me, suggests power, water, oil and food, more than some random website. For US infra, I’m thinking a lot of Allen-Bradley programmable logic controllers, but probably a lot of Siemens and Mitsubishi stuff as well - things like these: https://www.rockwellautomation.com/en-us/products/hardware/allen-bradley/programmable-controllers.html.

Historically, the controllers for industrial infrastructure (from a single pumping station to critical electrical distribution) have been on their own separate networks, and so things like secure passwords and infrastructure updates haven’t been a priority. Some of these things have been running untouched for decades; thousands of people will have used the (often shared) credentials, which are very rarely updated or changed. The recent change is to demand more visibility and interaction; every SCADA (the main control computer used for interactive plant control) that you bring onto the public internet so that you can see what it’s up to in a central hub, the more opportunity you have to mess up the network security and allow undesirables in.

PLCs tend to be coded up in “ladder logic” and compiled to device-specific assembly language. It isn’t a programming environment where C has made any inroads over the decades; I very much doubt there’s a Rust compiler for some random microcontroller, and “supported by manufacturer” is critical for these industries.