Solar winds should not exist. The update server sent up unsigned binary images with zero notifications of an update cycle or content change. Beyond that, the clients accept and install updates from system account with zero signature check or guardrails on elevated access.

DoD was compromised, senate, most major defense contractors. It took them weeks to figure out what happened and then only with the assistance of the entire world. Ancillary compromises that persist in an untraceable state within these networks are probably in the dozens.