Libraries, frameworks, and other security systems don't have to be developed in-house. It's just like basic data structures and algorithms: few ought to be rolling their own and should instead be using libraries.
All of those are insecure, so it's still a matter of staying ahead of attackers. And avoiding social engineering. And making certain the code that glues those libraries and frameworks together is secure. And making sure people don't accidentally leave an S3 bucket unsecured. And making sure every 3rd party contractor on-site doesn't take advantage of softer internal security. And making sure employees aren't bribed by competitors.
And making sure the business can still function while doing your best to limit functionality.
Yes and no; it was Apache code that was exploited. The failure tho' wasn't technical really; it was the lack of urgency in patching once the flaw was known, which is 100% on management
And making sure the business can still function while doing your best to limit functionality.