They should be required to do audits and pen testing yearly due to requirements of government systems. It sounds like solar winds worked with pen testing firms that that just gave passing grades. Sometimes organizations purposely hire bad security talent so they don't get exposed as doing a bad job.
You mean like how the government hires Solarwinds?
I have a client that uses at least one solar wind product and I shudder....