The CSIRO decision to deinvest was pathetically short-sighted and stupid.

how does the "provably secure" operating system co-exist in a legislative environment in Australia where software products are required to have govt (and therefore anyone) accessible backdoors?

This is an oversimplification of what the law requires. It hadn't obligated code to provide the back-door it obligates certain classes of public access services. Your SSH and gpg code is safe on Australian mirror sites.