Re: Failing to do so.
They will be well aware of the issues but a combination of legacy kit that can't just be upgraded (Scanners running XP, and likely connected PCs also requiring XP), no resourced to mitigate through isolation and a belligerent staff who won't stoop to carrying out awareness training, will all add up to an ongoing risk form repeated attacks.
Plus public sector IT has been an easy target for cuts for years. It was down to the bone years ago and they've still gone further. You can't reconfigure massive networks at the drop of a hat with two apprentices and a co-opted janitor. Even when the politicians wave their mighty soundbite wands.