Is it negligence or just incompetence? I get the sense that security is such a tough problem that all of us, even CISOs and red teamers, are incompetent.
If hospital workers spread disease because they could not be bothered to do the obvious things we -know- prevent this like basic sanitation... then yeah, I would call it negligence.
Do not put long lived cryptographic key material in the memory of an internet connected system. Ever. It is a really easy to understand rule.
