Would imply the vendor's processes were lax. Most software is built out of third party components and if they themselves are not verified then there will be these kinds of exploits.
This was unlike anything seen before.
But computers will only do what they've been told to do.
We use SolarWinds, it got an update early this year, perhaps with the very version described above I'll have to check, not a fan of it (slow/clumsy), although it does contain a lot of internal network topography information it doesn't know everything. We also monitor all external interactions closely.