And University researchers are unavailable, unwilling to answer the occasional call?
As someone who has worked for many, many years at a european university (part-time) I'm strongly sceptical about the ability of university staff to do this exact kind of work well. Not to mention the grad students, who will likely be assigned the actual work. Also, it hardly seems like something universities should really do.
By the way, do you have any idea how long this "occasional" call would take? This is EU, with all the regulations. Weeks to prepare the call. At least a month for the call, preferably at least two. A few months for the review and grant agreement preparation. Typically 8-12 months total. Alternative? Public tender. Also months, but not so many. But how do you make sure you can trust the company? It's the era of globalization, if you want to know whether software from eg. a US/russian company is secure (as in some real chance of detecting NSA/FSB modifications), last thing you want is a european branch of another company with ties there. Difficult to ensure with a public tender.
Solution? Have your own small but good team that can do this in less time than a tender or call would take.
Supporting your EU universities and sponsoring research for professors and students does not benefit society?
Yes it does. So, fund it! Pushing routine work like this on us limits our ability to do new things which is the essence of "research". And we will take any work that is called "research" and offers money, that's how universities get money afterall.
I've done my share of work which should never have been given to a university. Routine software development, code review, testing, etc. Practically zero publishable results. Plus, universities do not give the same quality and warranty as a software company in this case. Still, this is a growing trend - throwing such tasks into "research programmes". Expected TRL is growing. Instead of building fascinating prototypes and leaving the conversion to product to spin-offs, universities waste time and talent doing routine work themselves (in consortia, to make things worse). But it's too tempting - instead of allocating budget for something, you just call it a research project and fund it from the science budget. Bingo!
So the internal team is bloated and short on work, but the department/fiefdom must be preserved?
So firefighters should only be recruited when there actually is an emergency? Some jobs have variable workloads, deal with it. And I would be careful with the word "bloat" not knowing how large the team is. For example, having two or three analysts in an organization of this size is hardly bloat.
What makes you think any of this is related to the IT staff's day-to-day work, is within the staff's field of expertise, etc? The person who connects the EUMP's printer to the wifi network may not be the best capable person to analyze malware. All IT jobs/tasks are not equivalent.
What makes you think this would be the same group that runs around installing printers? All IT jobs/tasks are not equivalent. This sort of pro-bono work is exactly a good way of keeping your team of 2-3 security audit guys away from such work and doing exactly what they were hired for. Yes, that team can formally be a part of your "IT services". No, it does not mean they have to be simple support guys with a new task, very much exceeding their competence level.