By their own admission, Equifax was likely not in compliance with the PCI-DSS, even though they store credit card data.
Under the PCI-DSS they had "one month" to patch their servers after the patch was released, which means that they should completed the patching process around April 10.
There is, however, one important piece of information Equifax is not disclosing: which version of Struts they were running at the time of the breach. This lack of information is a tad suspicious, as it leaves room for the interpretation that they were running a version that was already obsolete by last year. The CVE-database lists a number of vulnerabilities of 4 and higher. Under PCI-DSS, all of those must be patched within one month after a fix is available. There are several 10s from last year.
For instance, all versions 2.3.x before the patch (2.3.32) are vulnerable. Given that Equifax was unable to patch their servers within the required one-month period, is it all that unlikely that they patch very infrequently and were still running an older version. Say, Struts 22.214.171.124 from August 2012? Or 126.96.36.199 from April 2015? In short, a version that suffered from a number of other high-sev vulnerabilities?
Granted, the PCI-DSS isn't exactly a model for the tightest security, but if a company like Equifax can't even meet those standards I fear the worst.