why is no one....
Seriously kicking them for either allowing 1 member of staff to control updates/patching or alternatively making only one member of staff responsible?
Even in the smallest place I've worked in at least 2 of us cross checked for securiry updates periodically and ensured we regularly migrated to platforms with continuing long term support.
For a company handling that much data, it's hideously incompetent to allow that to happen ('hit by a bus' is my goto response for having more than one person responsible and knowledgeable about these things. Cancer is another, very real unfortunately argument as well)