Pay no attention to the anti-virus vendor behind the curtain... or: Vulnerability != Exploit
Why oh why oh why do I smell a computer security vendor rat in this story?
Guess what? Every web server visible on the Internet has at least one vulnerability or more. The trick is in mitigating them. Anyone serious about "Information Assurance" knows the difference between a vulnerability and an actual threat, and can prevent threats.
Hitting a vulnerability in an IRS server might let you put in an extra web page or two, but would it let you commit gainful fraud somehow? And how many of those "unauthorized servers" are even remotely connected to sensitive data?
"...hackers or employees could exploit the vulnerabilities." Show me the proof, and stop wasting my time with anecdotes. The IRS employ some of the most paranoid people in the United States, and so much as sneezing on an IRS employee is dangerous... :-)