"I would disable the USB bus entirely"
So how would you support Mice, Keyboards and Joysticks? And how long would it take you to retrofit all of the some 100K+ PCs rated "secret" or above in the Government?
It does not have a potentially unlimited budget. As was mentioned above, these are often contracted third parties who develop the systems. They put in bids on government jobs and undoubtedly have their own margins to look after. Once the job is awarded, my understanding is that you can't change the price-tag it was awarded at. (At least, not easily)
The individual contracts have limited budgets, but if there were a DoD or Government-wide instruction that all systems meet a specific security standard, all contracts would be amended (cost increased along with scope) to comply with that standard. There's very little external pressure to constrain the maximum possible IT and IT security spending within government, especially the military.
The costs of good vs. bad IT security are actually not terribly significant in the context of the overall defense budget, either.
It's really a failure of process and vision, not resource constraint. Government IT and IT security used to lead industry; now consumers especially and even enterprises are more advanced than government.
you can disable any removable device, except the drone itself which seems talking back to the base using [non-encrypted] regular TCP/Ethernet and thus is a very plausible vector of continuous re-infection. The problem is well known and dates several years back:
Seriously? Have you ever worked on a PCIe bus device? They are hard to design, hard to test, and in general quite expensive. You're not going to build PCIe keyboards and mice that cost 10,000x COTS. That would at the very least cost someone their political career. (And the people who are making the decisions think about it that way, whether you want them to or not.)
