I honestly can't remember who stated that, and you make a good point that the FIPS CERT is for the product and not the company. It's my understanding that the FIPS cert is only necessary for cryptographic material, a very small segment of government material. I'm assuming that $25 million contract was related to classified and secret material only and not top secret crypto material. I honestly doubt the DHS has very much crypto material, as that's usually more of a military thing.
If you find yourself in a fair fight, your tactics suck.