You say that the government is very risk-averse and therefore a risk analysis was done, but that seems contradictory to the fact that significant gaps and deficiencies were found.
Was the cost of a total government computer shutdown factored into the analysis? This is one of the risks we face, in the event of cyber-attacks. If a true cost-benefit analysis was done, I would be really surprised if the risks of a complete system shutdown were taken into account, since you still proceeded to put the system in place in an automated, cyber way, to put it that way since I don't know the exact terms so well.
Finally, I am very surprised by all of this. There is a contradiction there and I would really like to have a clear answer about that.