If they had better funding they could have afforded 3rd party security reviews, which (if done competently) would have flagged this issue.

If they had better funding they could have hired dedicated security staff, who would likely be versed in the ways of securing DevOps pipelines.

Time is money, more funding == more resources to look at security properly.