I'm a security engineer for a regional health system that includes 4 hospitals and numerous clinics. This is absolutely true and so much worse.
I was dragged into a bridge line with Cerner and had to explain to one of their System Engineers how to create a certificate. I had to walk him through everything. I've seen other vendors install EMS solutions that left very insecure intranet portals open to the world. I've found vulnerabilities in software and technology stacks, made a case with the vendor only to have them deny it and then attempt to make changes without notification. It seems rampant.