I'm UKian and I'm astonished. Having worked in the UK Civil Service, sounds to me the person making this decision didn't know what it meant and that it was an actual security issue. Probably they thought it was sort of idly interesting, like speculating how many office computers are still beige. Not that you were listing sites with trusted nhs.uk domains that appear to be easy to hack.
I can assure you that we made it abundantly clear how bad the problem was - including sending link, screenshots, etc. Had phone calls with them where they did sound genuinely concerned.
That's...astonishing.