DOE is saying that their business networks are impacted, but they maintain pretty tight controls on access to the internal networks used with powerplants, particularly the nuke plants.  I briefly worked on a DOE contract and the restrictions were pretty strict (such as no USB devices that had not been certified through their security group, with immediate reporting requirements if you see anybody using one that does not have the appropriate clearance markings).

And those auditors are frequently barely literate in the subject at hand.  Working at a credit card processing company, I was given responsibility for dealing with the auditors after the previous admin who had been doing so thankfully transferred to another department (she was WORSE than useless - she generated EXTRA work for everyone else through her incompetence and refusal to follow advice or instructions, causing several outages).  The auditors wanted to be sure changes to certain system files were tracked, so they required that the servers send an unencrypted email weekly with a diff comparison of a number of files - including both the password and shadow password files, and we had to provide a copy of such emails during an audit.  I'll note that the scripts set up to do this did NOT update the reference copies of those files being checked, so this was a diff comparison between the current files on the system and those that existed at the time the script was created.  I explained to the next auditor exactly WHY that was a really bad idea and she agreed with me and dropped it from the audit requirements.  The very next auditor, after I was laid off, insisted that it be restored and it was.  From what I understand, over a decade later, it's still an audit requirement.  (as everybody who has the least bit of clue about what sort of information would be useful to have if you wanted to hack a server goes into convulsions reading this).  That was at one of the largest credit card processing companies in the US, and knowing that an incompetent ass of a VP who worked there went to work for the competition after being shown the door because I revealed his incompetence to the right person, I have zero hopes that that other company is any better.  I've also worked for a Big Four accounting firm and assisted with audits, and seen the internal documentation they maintained, that particular one was still using documentation and criteria for a version of an operating system that had gone end of life two years prior, and had nothing more current that I could find in any of my searches, and I couldn't even find who to contact to update that documentation.

I've had to touch two of the three within the past two years, and got contacted by a recruiter about one of them today.  Thankfully, VMS is nowhere on my resume, I barely remember having to do some class assignments on it in the early '90's.

And 100 virtual servers is a small installation.  There's a reason Ansible is gaining so much traction, but it operates single-threaded, so if you've got a narrow window for updates, you may have to update only a small number of servers per window.

The other part of the equation is that companies doing hiring are frequently using automated applicant tracking systems that are retarded, so unless your resume has the exact keywords they want, it gets rejected, even if you said the same thing in a different way.  Plus, of course, they want certifications which are largely useless in many cases.

One of the difficulties is that it's an EXTREMELY deniable attack vector, frequently using systems they've already compromised to attack others, and hosting stuff in countries that don't have the resources or laws to do anything about it.  Backtrack an attack and it's a system that was compromised earlier with no logs to indicate where it was compromised from.

Probably the same one, it was old and considered out of date in the '90's, I think the cluster where we did that assignment was upgraded to something else a quarter or two later.