I have been working on a large data project for another state - this state has outsourced everything to 3 or 4 large companies. That itself is not so bad, but the state doesn't have anyone left to make decisions. Instead it is all left up to the vendors. It is difficult for vendors, even when trying to do the right thing, to know what the business (state) needs or wants for some things.
Trying to implement proper security controls and create separation of duties when everything is outsourced is hard to do. Especially when all vendors bid their part without expectations of having to handle new requirements.
I am sure Oracle shares some of the blame, but I bet the state is responsible for a lot too.