There is a lot of truth to the problem cited that agencies have had to document their existing systems to such a degree that they don't have the money, manpower, or time left to fix the problems they find. That's certainly no excuse, just an explanation and indicative of the larger problems at hand.

I recall a project where we were told we needed to comply with certain standards for information security, but then were told by the customer that those standards were classified and that we would have to get additional clearances for our staff to even see the standards we had to follow. Yet they also demand that those standards be worked into any public release versions of our software so that it's not customized for each and every version to meet their needs... thus I don't see why the standards are classified to begin with, but hey, it's a crazy world.