What do you know about that? DID they have "ALL" data sets online and readily accessible? If you're going to accuse, you'd better have evidence.
Since we likely agree, that over 14 million data sets were accessible to hackers, we can hopefully also agree, that the ratio of necessary data records vs. actually available data records is 1:3. That's a lot of extra data and a lot of extra associated risk and responsibility.
At the same time their products were not exactly marvels of technical sophistication
You have *no* idea. Having actually run a software development shop for a large mortgage lender, I can tell you that the mortgage process is so complex that it required us to use mortgage-specific software components from about 50 different vendors. There is no way we could have written all those components ourselves.
You can stash all the (real or perceived) requirements you want, and argue "it's impossible to keep such a system up to date", but what you really argue is this: such systems shouldn't exist in the way they do, because they seemingly can operate only in a very risky fashion.
There's a reason, why fail safe systems for public transport aren't just "somewhat locked down Windows or linux computers doing their thing". The only difference is that safety agencies effectively prevent makers of public transportation systems from releasing such follies, whereas as soon as it gets to millions of records of highly personal health and financial records, all mayor players seemingly agree, that they have to do reckless stuff anyway.
Systems and their components do have vulnerabilities all the time, even OpenBSD had at least two remote root holes in the last 20 years in their default install, and unpatched production systems will be exploited sooner or later.
Two months is just a blip in time for large enterprises.
If two months is just a "blip" for fixing a remotely and anonymously exploitable vulnerability, then you can't handle such data in a safe fashion, and your company shouldn't do it. If I physically broke into your compound and started stealing paper records, would you accept a police response after two months of pilfering?
My company (which does support millions of concurrent users) has been working to upgrade its Angular version to the latest version. The team working on this project has about 6 people, and they've been working on it for about 2 years, with another couple of years to go. They're updating one software system at a time, it's just that there are a lot of them to update.
You either willingly or unconsciously confuse a scheduled major version update with a bugfix release. If you are such a huge outfit with "millions of concurrent users", then you will (hopefully) have an SLA with all your software vendors, which covers acceptable response times to newly discovered holes, and hopefully also bugfix support for the precise version of the software you have running on your production systems. You do, yes? Yes????
If you want to add a high-security deadbolt to your house, you can go to Home Depot and have it done today. If you manage a 50-story apartment building, it's going to take a while.
And if that place you're trying to secure is a large depot for nuclear fuel rods, then "everyone is using high-security deadbolts from Home Depot" and "we know, that this security bolt can be easily circumvented, but the new bolt is back ordered for two months!" is not going to cut it. We all accept and embrace this fact for vehicle safety, nuclear safety, air transport safety, industrial machine safety, but as soon as it comes to highly sensitive personal data, we all treat it like a Lego Mindstorm control panel "Huh? Have you tried turning it off and on again?". Expect regulation sooner or later.