Well, consider the following.
Most citrix setup, especially in a call center, aren't internet facing. This means they aren't exposed to the internet. So the kind of encryption used in the connection, if it's going over LAN, is relatively unimportant. So patching for a SSL vulnaribility isn't that much of a security priority.
The vendor did not provide the complete information on the patch. More specifically, on a component of the patch they should have known could cause very big issues.
While I can't condone the corporate policy of always having the oldest software you can get away with, the vendor is really who failed here.