[0xffff2]

They pay the penalty and they are expected fix the issue. If they don't, there will be additional enforcement actions.

[Mistletoe]

Doing anything at all probably costs more than $1M.

[alephnerd]

Not that much more.

Furthermore, security vendors like Avaya and Unisys could arguably be in breach of contract with customers because it could be argued that they misrepresented their internal security protocols to customers.