Private contractors never have an interest in fessing up because it affects their past performance ratings for getting new government contracts. My wife does government contracting work for a living, and the stories she tells me would blow your socks off. This game is ridiculously dirty, and the government has no idea how to solve the problem (or even where to start). This particular issue is made even more complicated by the fact that states run the elections, so normal entities that would be responsible for the defense of those networks (DHS, USCYBERCOM, the NSA) are out due to legalities surrounding federalism and conflict of interests.
The congressional inquiries are getting funny at this point. When Zuckerburg testified to Congress, it was a riot. It was a young billionaire explaining how the internet worked to a bunch of old people who clearly weren't following him, haha. I get that "cyber" is the hot new buzzword, and if you throw it front of another word, it makes it sound spicy ("cyberwar," "cyberterrorism," "cybercrime"), but 90% of the people using those words don't really have any idea on what they mean. Even people in the tech industry don't fully get them. I do a little pen testing for fun and as a side gig to make some extra money (getting that independent contractor money, playboy), partly because it's cool and partly to develop an additional skill because the skills of a retired Army Green Beret aren't exactly in demand in corporate America. The point is that I don't do this full-time, so I'm not at the top of the field. Well, I was talking to the CTO of my wife's company at a party, and he's clearly been removed from the technical side of the game for a while. The guy probably couldn't even tell you what a CVE number meant, and I think he was legitimately embarrassed that I knew more about this stuff than he did. These IT Managers mostly have the same technical skills as an intern, so when they're deciding on how to approach problems, it's from a bad POV. Security holes aren't addressed because they honestly don't understand the risk, and it makes vulnerabilities like this one persist in the environment for months or years, assuming that the folks at Symantec or McAfee even publish the damn white paper on the vuln, the scanner guys like Nessus pick it up, and the IT team is doing regular scans on the environment. Oh well, at least infosec guys will always have job security...