It’s kind of unique to medical devices. You can talk about Windows or Oracle databases having bad vulnerabilities and how you traced a hack of your company to that and they won’t come down on you like a ton of bricks, but it’s different if you say it was unnecessarily open ports (that you couldn’t close) in X company’s heart monitor.

This has gotten better in the past decade or so. There are better standards for manufacturers to secure medical devices and more established practices for hospitals to patch them and such (because you don’t want a ventilator to go through a patching cycle while a patient is using it, ya know?), but it’s still bad out there for this and other reasons.