"the entire design efforts for any medical device are to make them work 100% and cause no new health issues"
A device with remote access vulnerabilities doesn't meet that description. It seems likely that the cause must be omitting auditing and/or testing for this in the current criteria. You'd think after Wannacry that more notice would have been taken of this. Maybe it is and is grinding its way through some regulatory process.