Split giant projects into small ones, award it to better smaller companies, require interoperability via API that is clearly documented and ask for around the clock security monitoring and patching. The last things being the same thing you do at any decent private company.

IBM or Accenture or whoever don't need to be the only ones winning tenders.

I have (the start of a) solution, but it's a boring one:

You have to have people who care about this stuff.

If you don't care, the rest does not matter. It does not matter if, when and how you outsource if you don't care about the outcome. You can't just pay someone a salary, nor a consulting bill, check the box and say you've done your part.

And the other way around: These huge consulting conglomerates would get very few jobs if purchasers cared about the details, and not just that all the boxes are checked.

Absolutely. One of the root causes for these terrible tender processes is a fear of in-housing competence and skill for systems.

It's the same reason major govt. IT orgs keep pushing for closed source (recently the Swedish Tax Authority was in the media for _pushing for Office 365_ as necessary for operations), out-sourced designs, big firm purchases over FOSS or real standards.

You need people that care (and they exist, even in the gigantic state orgs.) in positions to make good decisions. Right now, everything is up in the hands of nebulously defined managerial staff with none-to-doubtful technical competence.

Another recent case: the Swedish digital exams platform flopped at a rough cost of a billion SEK. Can't sustain 150K concurrent users, despite paying a "large company". Like, come on.

Germany has iirc liability for the entire chain (engineers to upper management) in case of data breaches. I remember having to sign for that when I did a project in Germany. Would that help? I would not mind if the CEO/CTO of Odido would spend a couple of years in a federal pound them in the ass prison if it is found out the leak was due to malpractice.