That's spectacular.
That CVE was in the weekly US-CERT alert email. It was discussed in the tech media. It was on The Register front page. The initial fix was in April's Quarterly Patch Set, and somebody in the company should have got an email about that. Here's the advisory that I got in my email. It's pretty clear about the risk.
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html?elq_mid=75866&sh=1426070719220423041815081213153331041230&cmid=SPPT160711P00036#AppendixFMW
Equifax has (or had) 9500 employees, and only ONE person was responsible for keeping an eye on the alerts?
Nah, sorry, it's not that employee's fault. What they have there is a failure to take this stuff seriously.