Where to start?
Serious organizational failure. Equifax executives HAD to know that their organization, given they data the hold, is at the tippy top of every hacker's wish list. They needed to have put in place extremely proactive currency and patching protocols. It is manifestly evident they did not.
There should have been a TEAM whose only job was to monitor and assess NIST (and other) notifications.
That team should have been backed up by an in-house instant response team to force the necessary patches through the testing/QA cycle into production quickly and safely. (Note that this vulnerability had the highest possible NIST rating.)
That team should be backed up by a team dedicated to ensuring that the entire software stack in place is at supported levels, so that patches COULD be applied.
CSO, CTO and CIO should have been receiving and reviewing monthly reports on patching levels across the enterprise, and reporting gaps to the rest of the C-suite.
Massive fail at the CEO/COO/CIO/CTO/CSO level. Any one of them should have been asking questions about the company's ability to prevent such a hack. For a company holding the data Equifax holds, those protocols should be table stakes.
I want (but won't get) some personal accountability from these executives. Stripping of bonuses and stock options (retroactively) would be a good start.