I conjecture that the recent hacking of the Office of Personnel Management was enabled by similarly bad project management leading to sub-optimal, if not outright dangerously insecure software.
How does one solve this? Open audit of software? Better contracting standards?
“Cost realism” and “lowest bidder” make large projects in most government agencies a mess.
In my opinion, the situation at OPM is worse than healthcare.gov. The idea of protecting critical data with software maintained by the lowest bidders over the last 20 years is insane.
It’s far from clear that any government-funded software project has ever succeeded at defensive security. NASA’s stuff is, at least, highly reliable (don’t let the disaster stories fool you; highly reliable software is still fallible), but the majority of government software fails in that regard as well.
“How does one solve this” is kind of the wrong question, in that there is no present-day answer. “What fundamentals would have to change for this to be solved” would be a much better one. Also, I don’t have answers either so I’ll happily talk all day about what a difficult problem it is. :)