what common “basic hygiene” practices would’ve helped
Not using a proprietary, unvetted, auto-updating, 3rd party kernel module in essential systems would be a good start.
Bank in the day companies used to insist upon access to the source code for such things along with regular 3rd party code audits but these days companies are cheap and lazy and don’t care as much. They’d rather just invest in “security incident insurance” and hope for the best 🤷
Sometimes they don’t even go that far and instead just insist upon useless indemnification clauses in software licenses. …and yes, they’re useless: