"Adequate" is inadequate (excuse the pun). It is a weasel word that makes it very easy for the customer to think that they have one policy but learn a hard lesson when they try to claim.
In principle, I agree with the insurer. Failure to take "adequate" precautions makes you a higher risk, and if that is not recognised against your policy cost then everyone else's must increase to socialise the loss caused by your lack of foresight.
But adequate must have provable definitions if you are going to deny claims based on it. If my car insurer stated that my car must be adequately maintained, a current certificate of registration proves that my car passed the required certifications. If they have other additional expectations, like 6 monthly services etc then they need to stipulate that explicitly.
Back to the case in point. If adequate means that patches should be applied within 30 days, what do they mean by that? Windows update? Sure. What about that old version of jre that is still needed to run that legacy system? What about that system that has been powered down for 6 months with its user on some type of extended leave? Is your policy torn up because they switched their computer back on and it was not updated for a few days? Is your router patched?
Most people don't want to accidentally leave their networks open to pwnage. For many, it is a case of being naive rather than reckless. Providing easy to digest guidelines for your customers had the double advantage of protecting them, making your offering more valuable in their eyes and by extension more profitable for you.