I don't know Citi at all, but at our fisrv customers I think (2) is more likely than (3) (neither is a mortal lock). I also think that this is a hazard of working with high-volume Big-4 type firms... but I want to tread lightly with that thought for obvious reasons.
No no, I absolutely agree with you (about the hazard). I worry about any company that puts all it's app test eggs into one large contract with a big firm (a statement which I'm sure would make one of my salespeople cringe). I find that the places who use a combination of multiple app testing companies in combination with their internal teams seem to fare much better.
For this specific vulnerability, I find it shocking that even the most rudimentary assessment wouldn't have caught it; but my own personal befuddlement might be biasing me against thinking that (2) is likely.
