Restrict access. Why does a prison management system need to be connected to a public network and be accessible to more than 20 or so authorized users? I worked on plenty of government systems using insecure software galore but it didn't really matter because we were air gapped and you needed to get through Fort Knox level physical security to get physical access to a terminal.

Granted, that doesn't make attack impossible, but it does make it very hard, especially when you disable all the USB ports and optical drives and socialize extreme consequences to any employees not following ITSEC rules.