One of the difficulties is that priorities in government sector procurement are often biased in favour of the senior management and doing what is seen to be good politically, rather than usability or manageability.
The difficulty with the govt tender process is that some vendors are unfamiliar with it and don't give the best answers to the questions asked in the initial tender documents.
E.g. I've just been involved with the procurement of a PACS system (digital X-ray archive), and a lot of the vendors simply scored 0 on a large number of points when they returned their responses to the original specification document.
For example (these are not verbatim examples, but fictional examples which I believe accurately depict the problem):
Tender question: Describe how the software ensures compliance with the Data Protection Act (DPA).
Typical bad answer: The software is compliant with the DPA.
(This is a totally meaningless answer - as a result the vendor scores 0 on this specification point).
Typical good answer: The software has features that assist the hospital in meeting the following aspects of legislation: Control of access, control of retention, Prevention of disclosure and assisting staff in preparation of subject access requests.
Control of access: The software provides for password, certificate, hardware token or active directory authentication. There is a role based permissions system with arbitrary complexity - for example, a nurse's login could be restricted to access of patients only on her ward. Permissions can be controlled on a role or user level, and can provide access control on any image, case-record metadata (including custom fields) or metadata available from a connected information system.
Control of retention: Data can be destroyed automatically when no-longer needed. The period can be configured by the local adminstrator according to local policy. A rules-engine is included which permits granualar control of retention based on, for example, patient age (children's examinations can be kept until adulthood, instead of on a data age), type of exmaination (e.g. research studies may need longer retention), manual flags, any image metadata, or metadata from a connected information system.
Prevention of disclosure: All data stores are encrypted with 256-bit AES. Data transmission over the LAN, or public networks, are encrypted using TLS 1.1 with 256-bit AES. If data caching on client machines is permitted by the administrator and local policy, the data is encrypted using 256-bit AES. All system accesses are logged in an audit-trail. Powerful analysis tools, including a rules-engine, are provided to allow investigation of suspected abuse. If the system administrator permits images to be saved to teaching files/powerpoint documents/etc., image metadata containing patient identifiers will be removed automatically. If the images contain patient identifiers in the pixel data, then the images will be redacted automatically (subject to the availability of appropriate metadata in the original image files).
Subject access: The system can provide a full subject access report for both patients and users (staff). The report will include all data, including audit trails, together with summary (the staff report will have patient data redacted automatically), and can be exported to optical disc or hard drive in a single operation.
With an answer like that, it has to score 10/10.
The problem is that most of the software vendors are not very good at understanding the questions - particularly, where they relate to legislation. The big winners here tend to be the big contractors, often infamous in the national press for supply of poor quality solutions. They "get" what the questions are asking, so score big - and this often makes up for less-than-stellar performance in the technical and usability sections of the scoring.