> If the government owns the infrastructure, but outsources the day-to-day running to a company that's one thing

This is still very problematic. To be honest, even using foreign hardware or propietary software is problematic. But you should reduce dependence as much as possible because it is a huge vector that should the foreign government decide to turn on you openly or secretly, it could bring you down before you have a chance to detect what is happening. I believe wars between developed countries will operate at this level (i.e. by targeting foreign dependency chains whether it be national systems for id or simply cutting undersea cables)