Do we know the problem is in the software? There's a lot of other things that go into securing a large system like this, training and testing staff to resist phishing attacks, apply security patches promptly, maintaining least privilege as requirements, hardware and staff change, etc. It seems to me that unless your software package encapsulates every use case and enforces the security protocols itself the only defense is an on-site security professional who is listened to.
