"...to implement even basic information security controls"
While I would be happy to accept the call that three of the ASD top four mitigation controls "basic", application whitelisting is definitely far from basic. It's not commonly used, it is a very complex and incredibly risky control to implement, and a lot of people are rightfully worried about the potential impacts. I am implementing whitelisting on servers and the amount of hoops we need to go through to make sure everyone is happy we're not going to break anything is more than I'm used to :)
On top of this, its value is still not well known, especially once attackers start becoming aware of it and trying to get around it.
The other controls are definitely what I would call basic controls, but again "basic" doesn't mean "easy". Patch management and access control are things I have very rarely seen done well anywhere.
While the ASD top 25 has been around for a while, the ASD top four is newer and the mandate to implement it is only a year old. So expecting these issues to be resolved in a year is rather optimistic in my view (especially when bureaucrats get involved), and none of this news surprises me in the least (and obviously not only me)