If you're just sitting with open mouth wondering how hackers could have been sitting unnoticed in Citrix corp network for a year here's why:

Random user's request for a slight change in main page color is a Functional Requirement.

Security patching, intrusion detection etc are Non-Functional Requirements.

Because users don't require that the system doesn't leak their data to random dark web forums.