Hardly surprising, given the dearth of IT knowledge in the industry... and given the hell to pay if anyone looks for the breaches and actually finds one.
P.S. Is the telco in question still running the Medicare claims system? The one that involves accepting two invalid SSL certs in the process of starting some heinous Java VPN... which by law must be done by a Registered Nurse who barely even knows how to type. Have they fixed anything yet? I'm guessing they haven't even spotted any breaches in it yet, so they're still in ain't-broke-don't-fix mode.