How can a major SCADA vendor be this clueless

I am aware of a utility having just performed a SCADA upgrade with a major SCADA supplier. The previous version was not secure. Part of the upgrade process was to secure the new version. Following the completion of the upgrade, the vendor is remotely accessing the live SCADA system and making changes without informing the utility. Suffice it to say, there have been unacceptable incidents. What is incredible to me is the lack of procedural control by the vendor. The implications of this activity are staggering. Given all of the hype about cyber security, how can this happen???
Joe Weiss