People see this as an act of either carelessness or malevolence which both is unacceptable in an application that collects and stores very personal data on a large scale.
I think you have unrealistic expectations of applications developed for public sector - I'm usually surprised if they do core of intended functionality correctly.
This isn't a project developed for the public sector really. Afaik it's a privately funded, for profit, product that has been licensed by several states in Germany by now.
Apart from that the official (indeed publicly funded) Corona-Warn-App did a much better job at this. (They actually did follow all the recent best practices in software-develoment + it's (mostly) run as a free software project, taking community contributions seriously, reacting to feedback and issues, etc.)
I see. Can you talk a bit more about the review process where you work to ensure no unlicensed code is committed? I assume there's either an automatic or manual, rigorous process that's followed.