Swiss cheese?
Managing to have so many vulnerabilities that 12,703 are considered "high risk" in quite an achievement. Did they just collect as many old and unpatched operating systems and software packages as possible?
Now I know that updating a mission-critical system is not trivial, but come one this is rocket science and they normally have a complete standby system in place (often at a 2nd site "just in case") that can be patched and tested before going live.
Several million on spare computers is nothing compared to the billion for the bird after all.