FIPS may not be a joke, but most government networks are, especially, but not limited to, those outside of the DOD and IC. They are (in large part), administered by people who follow proscribed procedures, not people who understand what they're doing or why. While some "rogue" administrators will implement best practices beyond those they're required to do, they are the exception, not the rule -- especially admins who actually understand what they're doing rather than overestimating their own competence, which is its own problem. One need only look at the recent public government network compromises to see the consequences of these security procedures, and then apply the iceberg principle -- for every compromise that's seen, there are almost certainly many more that go unseen.
And of course, all the best technical precautions in the world can't protect you from social engineering, insider threats, and/or 0-day exploits. If we've learned nothing else in the past year or two, it's that the deck is stacked very highly in favor of attackers, especially targeted attacks by determined state actors.
Given the above, and the high-profile targets that government networks represent, I would be surprised if most, if not all of them, have been compromised. We like to make a lot of noise about China attacking us, but we almost never mention the country known for the "best" malicious software, which is Russia. Google "Turla," or "Uroboros," for example, and they're hardly mentioned in popular media, let alone in official statements. I suspect that the Russians are either as good as us at avoiding detection, that we just don't want to rattle any sabres by mentioning them publicly, or a little of both.
I think Kaspersky was spot on when he said: "this war can't be won; it only has perpetrators and victims. Out there, all we can do is prevent everything from spinning out of control. Only two things could solve this [permanently], and both of them are undesirable: to ban computers -- or people."