Yes they were shocked. And it is simply because even the most fundamental laws of security (eg security is not scheduled via obscurity) have flown and fly over the heads of architects. They don’t understand software beyond the smallest of kernels which dominate execution time. They don’t understand that attackers need one weakness to exploit a system. They don’t know how to objectively analyze systems to prioritize their weaknesses (eg seeing how the coexistence and sharing between mutually untrusting software is a potential threat).

That’s why the biggest computer architecture breakdown came from outside the comp arch community.