"Elements of the H-1B program that could serve as worker protections
such as the requirement to pay prevailing wages, the visa’s
temporary status, and the cap itself are weakened by
several factors."
Just because it is illegal, doesn't mean it isn't happening. Most people I know get more done when they aren't interrupted
I'm a morning person, but unfortunately it is much easier to get an uninterrupted block later in the day (6pm and after) than it is early in the morning (6am onward).
Standard operating procedure would need to change so the government entity has security as a requirement, details on how the requirement can be satisfied, and a bunch of money to pay for it.
So tack on $X million for each contract to have a 3rd party audit the code, documentation, and hardware for security vulnerabilities. And an added maintenance contract to fix any future vulnerabilities for the lifetime of the program (20+ years most likely).
From the higher up side, what do you get for all that money spent? No new functionality, no fancy demos. Going to be hard to convince them security is important when they can fund something they view as more critical or more interesting.
EDIT: To answer the question of what can be done, I think it'd require a culture change on the contracting side. The engineering side of the house is mandated to only do work that relates directly to the contract. The hours bid will likely be for the minimum necessary to satisfy those requirements. You can create a new interface, but you won't have the time to do any fuzz testing for example.