Not monitoring the components in your setup for security announcements is a fairly basic error. Someone should be watching these. Otherwise every Christmas would be a hackfest.
I raised the alarm for log4shell internally on December 9th, and then then it was being actively exploited. I know people at other companies who hadn't heard about it, or didn't think it was worth doing anything about, as recently as April.