There's a decent chance they're the ones who said "no!" and got overruled.

(See also: quite a few bits of COVID mitigation)

This, exactly. There are so many "cyber experts" working for the U.S. government, and the vast majority are just cogs in a machine constructed by executive leadership who will always prefer inertia over radical changes.

I don't think this is that much to do with executive leadership. Many of those cyber experts only have a job because of Microsoft based tooling and vulnerabilities, and so they will prefer things they know over things they don't know (e.g. implementing permissions across a Linux estate).