A detailed security audit of their systems should have uncovered areas where their security was lacking and they should have undertaken steps to remedy the defects. It’s something you should do during an acquisition anyways. If their software is crap, the price of acquisition should decrease by some amount in anticipation of the work required to meet data protection laws. Not performing the audit means not only are you likely to pay too much for the acquired company, but it also opens you up to liability as was the case here.

My understanding, and I could be wrong, is that the breach started 2 years prior to acquisition, and continued to be exploited until sometime in 2018 - several years after the acquisition.

And, regardless, if a company violates the GDPR then quickly sells it itself, should the relevant data protection commission just drop it? After all, they sold the company!

It says the vulnerability began two years prior to acquisition but does not say that it was a one time event and the rest of the article would not make a lot of sense if that was the case.