Buried in the CISA advisory of 13 December 2020 in “Conditions for Reconnecting Unaffected Versions” is this

b. Agencies shall not follow the hardening guideline’s requirement to ensure their SolarWinds instance is patched to the latest version, pending further direction from CISA to do so.

Basically – it is safer to simply dump Solarwinds as their lax attitude to security should be answered with the complete wind down of their business. It is long past time that negligence to cyber security is dealt with in a harsh manner.