US can be as bad
I know of a router used in US military systems where it passed all security audits with flying colors, but it has a small RTOS license cost to the supplier. The supplier replaced the router with one based on Open Source, and that wouldn't even pass the most basic of security audits. The US military didn't bat an eye-lid. Or perhaps the fears of all the suppliers engineers were not passed on and the military didn't check.