It has been my experience (ex DoD) that it takes an incident to set the wheels change in motion. For instance, I was in charge of a large and newly installed WAN a couple of years ago. I had noticed that there was a default password still in place on all of the routers and switches. Not only was this bad but I could use the default passwords on the upstream routers as well. All of the cryptography and VPN's in the world are useless when you have access to trusted ports on the network. After all of the fussing I made with my commanding officer I could not get authorization change the default passwords, they wanted to leave it up to the contractors that installed it the system. As it turned out they wanted to be able to remotely access the system. I still think it is a bad idea.

So it does not surprise me that they are bit lax on CGI security, but it will not take long for something to happen that will shock the upper brass in getting the Commands to fix their web security.

Sparky