I don't think that is accurate. The rollout took time but ultimately disabled certificates that weren't updated. It also didn't lead to major attacks as weak keys still needed to each be exploited.

Sending 3rd parties perfect copies of private data of your citizens to run a credit scheme is a different place.