Sure, this business should have converted to either of those and let someone else take over administration since they were clearly negligent. This is stuff that FedRAMP or it's replacement was supposed to fix but didn't.
FedRAMP is only for hosted software for the federal government afaik, not on-prem and not private companies (nuclear reactors afaik are operated by grids/private operators and the federal gov is responsible for auditing and regulating)
