Double failure
If you take Smith's words at face value then there was a double failure here. One guy failed to notify others to apply the patch and their vulnerability scanning software failed to pick it up. While the human element is fairly easy to fix I'm at a loss to see why their vulnerability scans didn't pick up on the known issue in the months following the release of the patch. Perhaps they aren't updating this software either? Would that make it a triple failure.
If someone did mess up as Smith says then kudos to him for telling the truth about what happened without naming the individual and taking personal responsibility for it.