My impression is that you end up with bad code in critical systems due to the exact same forces as anywhere else.
Difference is, rather than ramping up the quality of the development / testing with the seriousness of the application, people tend to ramp up the requirement hair-splitting, ass-covering and accountability obfuscating.
Fighting this requires a rare, uncompromising attitude that often isn't conducive to remaining employed.
In addition to that, there are hardware companies that have always seen software as necessary but uninteresting, thus trying to cut costs on it as much as possible, and not knowing how to set up an environment conductive to good software development (like having non-programmer physicists code in C, or still being stuck using 80's source control tools).
(A classic case study -- a radiation therapy machine that was badly programmed, resulting in several accidents where patients were given massive overdoses of radiation).
This is one of the reasons I opt-out of airport scans. The less I stand in-front of something emitting radiation the less chance there is for a software error to cause me to get a higher dosage than was intended.
