I worked for an MSP doing IT for an assortment of companies. Most of the companies were in the medical or legal fields. Every single computer they sold to their clients, used the exact same bitlocker key when booting the computer. If you've worked for one of the companies we supported, you knew the bitlocker key for all of them. Iat been the exact same bitlocker key for at least 10 years. This MSP also regularly puts out social media posts and emails saying how security focused they are etc, etc.
My impression is that being an MSP is a turn-key solution. A bigger company sells you the tools, training and support staff so you can cosplay as an IT company. The companies providing the tools, training and staff are making you dependent on them too, as well as making bank referring you to their partner solution providers.
specifically the industries with government protected sensitive data have yet another unique way that they failed. These mistakes are so low of a bar to clear that lazyness cant explain it away easly.