I think we needs to understand better this first part, "While it is unclear from the report just how the hackers initially compromised Centreon, the report shows that, once inside, they used webshells to further their intrusion campaigns."
I used to struggle with the notion of software - Why is it that formal verification never took off? Then I realized, bad software is just another way of printing money for somebody somewhere.