Obviously you don't know much about IT security
Even companies that have great processes in place get attacked, because there are new exploits are discovered against common software/tools every day. Lax security makes it easier, but even the best security will not let you sleep peacefully. People trying to secure things have to be right 100% of the time, the attackers have to be right only one time.
Plus the federal government can't easily force state/local governments and private business to improve their security. Let's say they allocate many billions of dollars to this. How do they spend it, do they send in a crack team of FBI/NSA hackers to force the fixes at gunpoint? Do they just write all these entities a check and hope they spend it wisely instead of making a few simple fixes and then wasting the rest on hookers and blow?