The first aeroplanes had mininal payloads, crashed regularly, and...
Indeed. But this is hardly the first database, web interface, online register of activity, that humanity has built.
Apart from hiring some technical skillz, they could have started by building in a few obvious key requirements in the beginning, such as:
Data protection
Primarily allow the user to own and store their own information, not be forced to leave it in a massive honeypot where others will do their best to dis-own it.
Support user-defined encryption, where at a minimum, users can opt to keep the private key- or do something like use a secure ID token that they can use to access their data, and restrict others' access to it.
Ability for the user to scale security on the encrypted data, re-encrypt, double-encrypt, re-issue tokens, keys, passwords, MFA, etc.
Because they avoid all aspects of user-oriented security concerns, the DTO and others are destined to fail. Why not get it the right way round, implement workable security around the citizen first, and then add features and accessibility? E.g. Plan for regular releases to build solid functionality on top of a stable, well-tested base:
i.e. A New feature/day.
v1.0 Secure and stable storage of information, bare minimum of features
v2.0 Add features as needed
v3.0 etc.
Not
v1.0 Broken
v1.1 Worse
v1.2 Hacked
v1.3 Patched
v1.4 Hacked
v2.0 Doesn't work
v2.1 Fixed so it works (but only for some)
v2.2 Works mostly, but now most users are scared of the whole thing, project stalls.
v2.2 Force everyone to opt-out instead of opt-in
v2.3 Technical release, buying time
v3.0 Mine data from other sources, insert
v3.1-v8000 Remove data inserted into unrelated accounts. Quadruple budget, several times.
v4.0 Deal with constant attacks, publicity around ongoing data ex-filtration to offshore actors
v5.0 Announce new cloud platform version, all data cleaned and migrated
v5.1-5.5 Fail to migrate data, force everyone to re-upload records
v6.0 Amend account data where lost, incorrectly related and causes problems (practitioners to prescribe the wrong dose, medication, procedures, etc.)
Giving a turd rolled in glitter more time to perform only results in throwing more good money after bad.