"We controlled all..machinery inside the car wash and could shut down the safety systems,”"
It's that last part that makes this an epic fail.
I can (sort of) see a "test" mode where safety cutout switches are disengaged, like for an industrial dryer so it can be watched spinning while the door is open. AFAIK this needs the service engineer to be physically present and to physically do something to make it happen.
But allowing that to be engaged remotely? Are you f**king kidding me?
Monitor status of safety systems, yes. Change them remotely, no.
At heart we have a lot of mfg with the attitude "Security is not important. No one cares about our stuff enough to hack it. There's no money inside it"
They really don't get that if there's a server on the internet someone somewhere will want to know what it does and they will file that information for mischief or money.
BTW In a spirit of fairness other no longer supported insecure embedded OSes do exist.