Here's the relevant quote from a GeekWire article:

"A representative for Accellion told The Times that the breach involved a 20-year-old “legacy product” which the company has been encouraging customers to stop using."

Basically, you can either blame Accellion for not supporting old products enough, or you can blame the State Auditor's office for not upgrading in a timely manner, depending on your POV. I think 20 years old is enough that I'll blame the Auditor's office.

FTA is still a revenue-generating product under support which they claim is secure.

https://www.accellion.com/products/fta/

It is true that it's still under support, however that page you linked is almost 100% about migrating away from FTA to kiteworks which is their new platform. I would be relatively shocked if it's actually revenue generating in 2021, unless they charge for support. At my company at least, anyone calling about a product on that page would be very clearly told we're not selling new contracts for that, would you like to hear about NewShinyThing instead.

That said a SQL Injection vulnerability in a 20 year old product definitely raises certain, questions.

How old is Bobby, you know Little Bobby Tables?

https://xkcd.com/2085/

Yes, if they have a known vulnerability in the wild in a currently-supported product, the rest is just details.

Tangentially, I wonder: has anyone built a friendly browse/search interface for all-time CVE data [0]? This makes me curious about what the history of SQL injection vulnerability discovery looks like.

0: https://cve.mitre.org/data/downloads/index.html