As per when I was the performance and security test assurance authority on this programme, an issue still remains in the form of no clear end to end ownership of the overall technical solution.

Lack of centrally driven (architected) design processes facilitate suppliers to narrow focus on their elements only, rather than taking a wider view of an end-to-end solution and its interactions with other suppliers’ elements.  This results in the assurance function outputs being ignored / overridden and collaborative working between suppliers accepted by middle management as too difficult to achieve right now.  So, a stalemate situation arises leaving technical misalignment and gaps.  Leadership is then blind to the truth, assurance functions are deemed to be providing no little to no value and suppliers get away with raising a continuous stream of contract variations, in an attempt to align the technical direction, but still in partial isolation and favourable to them, rather than the wider programme.

An example / food for thought, who owns the security of digital forensic data?  For example, photographs stored on the SD card of an end user device.

The solution is as @Peter Clemons has said many times before, you need at least a central technical authority to provide architectural design governance / oversight.  Diversifying the supply chain to avoid a monopoly makes sense, until you try to hold them to account on elements that overlap.  Now whether you issue the entire delivery to a single supplier / consortium or enhance the home office central technical governance is a question I would love to begin a debate on.  Personally, I would prefer the later as it was almost there before.