We all know that breaking Windows is a hacker's clear objective.  That's for two reasons; firstly, the code (of both Windows and third-party applications) is demonstrably insecure and secondly, it's running on a large majority of PCs and thus is an obvious target.  Note that I'm saying nothing about the security of other platforms (hint: Mac), simply that Windows is the biggest and easiest target.

Knowing this, it would be reasonable to expect that users would be subscribing to and accepting Microsoft patches as fast as they possibly could.

We know that they are because the incidence of attacks based on relatively old vulnerabilities is exceedingly low.

Hang on, no it isn't. 

Worse, I recall reading about a very old vulnerability that was triggered to affect PCs on a specific date.  Perhaps it was the Michelangelo virus, perhaps another (I don't recall) but as the story goes, a large number of PCs correctly “went AWOL” on the date in question, but, notably, there was a significant tail of other PCs exhibiting the date-based effects on later dates – clearly the owners of these PCs couldn't even keep the system-date correct!

Surely, you would have to be living under a rock somewhere south of Brainrot, Arkansas to remain unaware of your obligations to ensure your Windows PC is properly patched, yet every new virus/worm seems to find plenty of un-patched victims to add to the latest bot-net.

What to do?  Should there be a ‘tax' on unsecured PCs imposed by their ISP?  Perhaps any PC discovered to be insecure should be banned from the Internet for 3 months.  What of the corporate world where IT staff are literally tearing their hair out trying to secure their systems from the (unintended) machinations of their senior executives.  Speaking of which, why is it that clear and deep financial knowledge in an executive is de rigueur, however it's OK to be entirely blasé about anything IT.

Allow me to summarise what to do…