I understand the saying "the cobbler's children go barefoot;" if a security consulting company spent the man-hours to make sure their own systems were perfectly secure, they'd never have the spare time to bill any to their clients. Still, when making a trade-off between practicality and security, a security company should keep in mind the possible PR consequences.
This wasn't quite like Google choosing a linux kernel with a priv escalation bug or Apple leaving the JDK unpatched for 6 months. This was more like Google missing a great acquisition opportunity because they couldn't find the relevant documents on their internal fileserver, or Apple's website only rendering correctly in IE 5 because that's what they were using to test it.
This wasn't quite like Google choosing a linux kernel with a priv escalation bug or Apple leaving the JDK unpatched for 6 months. This was more like Google missing a great acquisition opportunity because they couldn't find the relevant documents on their internal fileserver, or Apple's website only rendering correctly in IE 5 because that's what they were using to test it.