As it turned out, the problem was apparently caused by sloppy development and implementation practices. Good code management is what was needed, and this is a purely operational issue.
Are you her lover?
Equifax said they knew of the patch, but haven't mentioned why it wasn't applied. They are still investigating. One theory I've read is the programing code needed to be tested before applying the patch to the live server. Maybe they couldn't get the code to work with the new patch and made a business decision to keep it online. It unbelievable they would do this with an internet facing server.
The company I work for is an IT vendor (VAR) for a major, international US-based bank, and you know their name, it's in the news a lot. We sell and deploy them infrastructure, primarily servers and storage. Several times each year, we get security bulletins from their "Risk Management" team. In this case, the vulnerability was discovered on March 7th, 2017. On March 14th, we received a security bulletin notifying us (and all of their IT vendors) of the ASF Struts vulnerability, and asking us to certify if our equipment and software contained this vulnerability, and if so, we needed to detail the our plan to assist them with patching the vulnerability when a fix was published and available.
They do the same thing internally across all development teams. And you are correct, this is an operational issue. This kind of process, or something similar, should've been in place at Equifax, and I'm speculating that there was nothing of the sort. It is not unreasonable to expect that the CISO at a Equifax would ensure operational processes like this are in place. It's her responsibility to do so, and if she learns those processes are not being followed, heads roll. That's leadership, and it's not specific to IT Security.
These type of problems, lack of procedures and sound policy, are why auditors exist. I'd be curious to learn the frequency and results of recent IT Security audits. She came from First Data, where there are constant internal and external IT Security Audits taking place for SOX and PCI compliance. Those should've been happening at Equifax as well, and they damn sure should've covered the operational topic of "Patching Application Servers".
Others in this thread have indicated their belief that this CISO is being treated unfairly. I disagree. Ultimately this was a failure of leadership, which was her primary responsibility and which she failed to provide. She was there 4 years, and that's plenty of time to understand what is happening, operationally, within the organization she was tasked to lead.
While we can rest assured that government, on all levels, is operationally indifferent and unaccountable for security the personal data of the public, hopefully members of the Board of Directors at every other organization (credit bureaus, banks, healthcare orgs, online merchants) storing consumer/customer data is now wondering what's on their CISO's resume, and will be asking their CEO next week if that person is, as Gunny Hartman says, "fit to pack the gear and serve in my beloved Corps".