Any large organization that doesn't, at a bare minimum, implement NSA's Top Ten Cybersecurity Mitigation Strategies[1], ASD's Essential Eight[2], etc. is grossly negligent; and an insurance carrier willing to write a policy not conditional on implementing those strategies is equally negligent. The insurance carriers in this case could very well be attempting to deny payment under the acts-of-war exclusion because they're too incompetent or greedy to correctly write a cybersecurity policy.
>> too incompetent or greedy to correctly write a cybersecurity policy
Don't discount the insurers just yet. The act of war exclusion is likely preferable for the insurers because it would seem to broadly cover the entire incident and because it really doesn't require a whole lot of detailed discovery into Merck's internal processes. But if that fails, then the insurers will, most likely, once again try to deny the claim, this time focusing on the details of the cybersecurity-based policy exclusions.
My guess, with no evidence to back it up, is that the policy is very detailed and specific, and upon investigating its application, the insurers will reveal a lack of proper defense and mitigation processes by Merck, just as you describe.
[1] https://www.nsa.gov/Portals/70/documents/what-we-do/cybersec...
[2] https://www.cyber.gov.au/publications/essential-eight-explai...