I believe this has more to do with the ternary operator being used inside of string concatenation.
I would eliminate this issue by relying on a classic if statement, but WordPress provides a helpful function selected, giving us:
$terms = get_terms( 'department' );
if ( ! empty( $terms ) && ! is_wp_error( $terms ) ) {
echo '<select class="widefat" name="departments">';
foreach ( $terms as $term ) {
echo '<option value="'. $term->name .'"'.selected($_POST['departments'], $term->name, false ).'>'. $term->name . '</option>';
}
echo '</select>';
}
However, there is something more egregious going on here that is unrelated to your question. What if we have a term named "><script>alert('hello world');</script><option>? We have an avenue for an injection attack here due to an unescaped variable output. So lets update the code with some escaping so that it’s secure:
$terms = get_terms( 'department' );
if ( ! empty( $terms ) && ! is_wp_error( $terms ) ) {
echo '<select class="widefat" name="departments">';
foreach ( $terms as $term ) {
echo '<option value="'. esc_attr( $term->name ) .'"'.selected($_POST['departments'], $term->name, false).'>'. esc_html( $term->name ) . '</option>';
}
echo '</select>';
}
Now any HTML or entities that may have been unexpectedly inserted have been made safe, and the code is secure. We can also simplify the code to make it easier to read:
$terms = get_terms( 'department' );
if ( ! empty( $terms ) && ! is_wp_error( $terms ) ) {
echo '<select class="widefat" name="departments">';
foreach ( $terms as $term ) {
?>
<option value="<?php echo esc_attr( $term->name ); ?>"
<?php selected($_POST['departments'], $term->name);?>>
<?php echo esc_html( $term->name );?>
</option>
<?php
}
echo '</select>';
}