Then it is even more damning to the head of security if they knew about the vulnerability. The ultimate person to decide whether a vulnerability is not to be patched, is the head of security.
There are two unstated assumptions here: 1) She had the organizational power to order patching and rollout (which is more than the power to prevent a rollout). 2) She didn't try.
You may be right. But.