One hopes not as this stuff would have come up in even a cursory audit of the product - but it’s kinda like Ratings Agencies / Moody’s in 2008 right now until a big breach that occurs post-cert and they lose their credibility.

The number of FISMA-HIGH, ATO’d/RMF’d, security audited government systems I’ve seen with equivalent security issues is…substantially nonzero.

I have come to believe that most security audits, even ones conducted through widely-reputed groups or under strict standards, are much worse than useless.

Audits are a thing that can theoretically be done well/in a value-adding way, but rarely are, for the same reasons that most private-sector security teams I’ve worked with are effective only at generating internal badwill, and ineffective at increasing security above a very low baseline.