> why is critical infrastructure getting OTA updates from third parties automatically deployed directly to PROD without any testing.

I am missing some details, perhaps

From what I see this was an update from Crowdstrike. They are a first party, no?

Was another party involved?