To give an example of how the Government IT mindset runs today, here is an example.
System A is scanned for possible vulnerabilites. A vulnerabilty is discovered. A check of the system reveals that software X was installed on the system. This information is then passed on the the Security office.
The security office then determines that the vulnerability is not applicable to the network because software X is not part of the contract, so therefore, does not exist according to the contract and does not merit further action.
Repeat ad nauseum.