Hmm, having worked with sage/pay
seems they were stuck between a rock and a hard place as updating sage systems can be a right PITA.
Seems they did the right thing to me as it was unlikely the exploit would have been exploited in the time taken to rectify this.
Personally, good call on Sage to maintain their customers ability to use said service...