Well, to be fair...
If it was a routine firmware update, I'd have left it a few weeks before doing it. But if it was flagged as a critical update, I would have done the update within that working week. Knowing the implications of the patch, HP should have validated the system they were performing a replacement on before doing the replacement. As they said "if this update had been done, none of this would have happened" they must have KNOWN of that vulnerability and the consequences of swapping a component without the update.
HP's EUA etc might protect them from being sued for the full damages, but it does not absolve them entirely.
My fear is that this will be used as an excuse for even more red tape and bureaucracy in an already management heavy system. A massive swelling of the ranks, and the associated expense, and all the ITIL and ISO certifications and training and documentation, but that's all so much fluff on top of getting the actual job done. They'll point the finger firmly at having to support and migrate legacy systems, accelerate the move away from those towards a corporate IT model and make even more people do their own thing. Tying all IT purchasing into a single supplier, for example, would exclude many medical and scientific instruments that come supplied with integrated systems; everything from water purifiers to brain scanners, from chocolate dispensers to air sampling systems, building management systems and audio visual systems. That's the feeling, anyway, I get from the document. Users feel IT don't understand the business, especially in research, IT say they do and you should do things their way for "reasons". Trust them. They are experts. But no-one else is allowed to be.
Biting the hand that feeds IT
