I suspect more corpos have exposure like this than any of them would like to admit. E.g.: BigCo picks up a company SmallCo, and inherits their systems for some time. There's some cruddy ancient CRM, IT or travel system, and some random test tenant, that has hooks to email, and from there it's a short step to enumerate targets, send auto-generated emails from a trusted system and the hackers are off to the races.
Yes, it can be an endless headache. A company I worked for had acquired a smaller company with some products and services that nicely complimented our own products and services. From the outside it was a good match and for the most part, the integration went well but they had been using Rational Clearcase for over two decades and absolutely didn't want to migrate to git and the rest of our tool suite. They had very little turnover in their IT department and things ran very well for them but higher ups wanted everyone integrated into a single system and the accounting folks wanted to stop paying fees for all the Rational stuff, especially since they hated dealing with IBM. Infosec had pretty much no knowledge of how to best secure anything on that side and the acquired company had nearly no infosec capabilities of their own. When I left, it was still a point of contention that didn't look to get resolved any time soon.
