This really is depressing reading. I've had my arguments, sorry, discussions, with management concerning compliance with security regulations. You know the sort of thing - the government says we must do this, we are telling the government we are doing it, so we really ought to be doing it or someone is going to have a problem when they find out. Sounds like the management simply was not interested in compliance, just wanted NASA's and the DoD's money. After all, usually Security is the IT Security minion's responsibility isn't it, and spending money on security does so reduce teh profitability of the company and slow down the system with those naughty internet firewalls.
This is why I retired. Will horses would not drag me back.