With FISMA no one builds even remotely secure systems, nothing anyone here would even want their name associated with. And this is because under FISMA government executives can "except risk", and they don't have to justify why.
So when your agency needs an application to do X, and you will face consequences if it doesn't get spun up, and to do so requires you cut a lot of security corners, but you won't face any consequences for doing so, you're going to cut those corners. Especially if not cutting those concerns means delays in rolling out that system, or spending a ton of money to fix all those security problems. The state of information security in the government is atrocious for this reason. It's not that complicated. There is no real incentive to secure systems, and very real insentives to not do so. You just issue the ATO and accept the risk. It's up an running and everyone is happy. If it's not and running people are pissed. It gets owned, people shrug and say "well nothing is totally secure".
So when your agency needs an application to do X, and you will face consequences if it doesn't get spun up, and to do so requires you cut a lot of security corners, but you won't face any consequences for doing so, you're going to cut those corners. Especially if not cutting those concerns means delays in rolling out that system, or spending a ton of money to fix all those security problems. The state of information security in the government is atrocious for this reason. It's not that complicated. There is no real incentive to secure systems, and very real insentives to not do so. You just issue the ATO and accept the risk. It's up an running and everyone is happy. If it's not and running people are pissed. It gets owned, people shrug and say "well nothing is totally secure".
Until this changes, compromises will continue.