" That seems to be the case. The CardSystems employees were negligent and incompetent in choosing to deploy Microsoft products in their data center."
I disagree.
I'm not a big fan of Microsoft, but it's not any worse than anything else.
What I do for a living is to fly around, visit my customers, break into their applications, systems, and networks, and systems. The operating system it's self is only a small part of the total attackable surface area.
My understanding is that they knew where the problems were for a long time, knew how to fix them, and just plain old didn't apply the patches or make the configuration changes that they knew needed to be made.
"What I do for a living is to fly around, visit my customers, break into their applications, systems, and networks, and systems. The operating system it's self is only a small part of the total attackable surface area."
Left out the part 'tell them what to fix to keep the bad guys out' :)