This issue definitely falls back on the client and this particular issue comes back to Patch Management practices, and also the ability to detect the zero-day exposure through good Vulnerability Management.
I have several enterprise clients here in Australia with Citrix NetScaler's that were vulnerable to the exact same issue, and fortunately all of them were able to implement the initial workaround that was issued in late December.
One of my clients didn't patch until 7 January, which was just in time for malicious actors that were starting to exploit this vulnerability actively on or around 11 January.
We're lucky in Australia that our government was tracking exposure to this issue, and they were contacting large organisations to warn them to check they had applied the patch too.
@MJM I agree, bad patch management is a major issue. But I think this also points out a major resilience issue for the organisation as well. They certainly need to review current current Hygiene practices, DR and BCP and some more investment from the board given the circumstances.
I hope they did not simply fall back to cyber insurance to bale them out.
I agree the Australian Government is very proactive, and I would say the New Zealand CERT was also doing a similar approach to minimise the impact.