An auditor is performing an assessment of a security appliance with an embedded OS that was vulnerable during the last two assessments. Which of the following BEST explains the appliance’s vulnerable state?
A. The system was configured with weak default security settings.
B. The vendor has not supplied a patch for the appliance.
C. The device uses weak encryption ciphers.
D. The appliance requires administrative credentials for the assessment.