"If you've just spent millions on an MRI machine and the software for it is [out of date]..."
You say "We're not paying for that, as it's faulty." A few pushbacks like that, and I expect the vendor would start taking security seriously. It may cost them millions up front to do so, but they can recoup by dividing the cost between their customers, by increasing maintenance contracts by a few %.
The first MRI supplier to do that will be rewarded with a monopoly on sales for a while, as insecure systems will be disqualified from tendering. Win-win.