They might not be keeping their systems uptodate but sometimes i pity the techs working for the govt. Where i am, its either they are overworked or dont have the right tools cos of budget constraints. the other problem could also be management who dont want to be troubled by all this patching and securing cos it makes things more difficult for them to use and to them it wastes their time.

In my place, I have patched the machines with remote deployment tools but running a scan the next day i realised that many machines were still vulnerable cos the users dod not shut down their systems at the end of the day. I spent a couple of days chasing them down to get them to shut down the systems at the end of the work day. This is on top of all the other sutff that i am doing. Its really a pain when you got users who dont bother.