Despite a federal order mandating that civilian agencies identify and patch all known instances of the vulnerability, experts say the disclosure of a federal agency compromised through Log4J almost a year later underscores how the deeply embedded nature of the software bug will continue to facilitate intrusions for years to come.