Having worked in the medical device industry for over a decade, I know first-hand how bad the security situation is on the vast majority of devices. It's by no means unique to St. Jude. The fact that these issues exist is also old news, as noted in the Bloomberg article linked by jevinskie.
In addition to new devices continuing to take a lax approach to security, there are the ongoing vulnerabilities in the older devices. The older models continue to be sold, and many of the older devices are still implanted in patients.
Is it an issue? Yes. Should something be done about it, perhaps by withholding FDA PMA or 510(k) clearance on new insecure devices? Probably. Is it unique to St. Jude? Not in the least.
I remember talking through the whole process with some of the engineers deepest into it and thinking "holy crap this is bad." It then scared me more, because I'm only 6 months out of university, what the heck should I know? But this crap passed FDA approval and had a team of very expensive people working on it.
I left that place after less than a year when I realized the only people I was working with had been in the industry for 20+ years, were pretty much doing the same thing they'd been doing for two decades, and more importantly, were absolutely resistant to doing anything differently. I think that's one of the biggest problems with medical devices- hardware/low level engineers are generally older and not used to preventing the types of threats that you'd be used to preventing if you spent most of your time building software thats on an open network. They're not put in an environment that really rewards adopting new technologies or practices, the development cycle is incredibly long because of the approval processes, which means that whatever you get to market is 3-5 years old at best, and they're constrained by hardware limitations (for cost, battery life, and form factor) as well. For many reasons, and a lot of them very good (people's lives depend on this stuff, after all), you will always be working with hardware and software tooling at least 5-10 years old. A lot of their products were just iterations off a previous generation for better battery life, smaller form factor, etc. and most of the codebase was from when I was in elementary school.
I worked with a lot of incredibly smart people that on their worst day could do things with hardware that I'll never be able to do, but at the same time they couldn't implement a secure communication protocol if it meant THEIR life depended on it. Someone like myself that comes in bright eyed and full of wonder is either going to lose their light or move on because there's just no way to do anything truly novel in that space if you're working for one of the well established companies. Don't get me wrong, when it comes to medical devices, chasing new and shiny is no way to go. But a lack of version control, a horrible QA test rig/system, and basically no diligence around a repeatable process are not chasing new and shiny.
BTW we're hiring. If you're reading this comment thread, you're probably a great potential team member. Email in profile.
The problem with most of these devices is that if you can get them to ACK, you can pretty much get them to do whatever you want and the instruction set isn't all that complicated once you've grabbed some data streaming through the air for a little bit.
