aruizcr wrote:

So was this a failure to use prepared statements? Or a bigger work around?

From the article (emphasis mine): "The zero-day vulnerability that made the attacks possible was a pre-authentication SQL injection flaw found in the custom operating system that runs the firewall". My guess is that the custom OS is probably not written in Java (usually it's C/C++), so they don't have PreparedStatement. SQL injection can happen in any language. In Java it can dealt with easily with PreparedStatement; in another language you'll need to find some similar solution.