Right, because another requirement/standard will solve this problem. It will get tossed on the pile of requirements for every new contract. It will be implemented to the letter, just like current security requirements. And it will help a bit but things still won't be "secure."
Security is fundamentally picking the level of risk you're willing to accept. The answer is uniformly "none," but strangely enough you still that network hooked up, so you end up with a 4,000 page requirements that effectively amounts to "Well, you need to make sure that _everything_ is 100% locked down and goes through 6 month review and and..."
Security works well when there's no hacks, no rushes and above all no one in the organization who says "I'm important, so these rules represent a threat to my status/are stupid/but this is _important_..." You don't think there's anyone like that in the government, do you?