Insanely widespread .... because the beancounters wouldn't agree to the cost of upgrading the software and then the hardware needed to run the new software. So blame the accountants for the whole mess.
<- Ex NHS IM&T.
Is replacing a multi million pound state of the art MRI machine because the control software only runs properly on XP is a sensible use of money compared to the deployed solution of either not connecting it to the network, or putting a hardware firewall in place that only allows access to the webpage that serves results? Did that result in any infections? No evidence to suggest it did so far.
The *actual* problem? The "NHS" is actually comprised of many hundred independent trusts, all of which operate their IT to widely different standards, many of which are not competent to be running a network. Why do I say that?
This is what's blocked on the central NHS mail system (nhs.net)
And we know that NHS Mail/NHS.net was not used to spread the infection.
Therefore, this event simply provides a map of which trusts are:-
A) Running their own onsite mailservers.
B) Not adequately securing said mailservers.
C) Not adequately securing their network.
The reason not to use the (cheap) central NHS Mail (nhs.net) for email when I was working in IM&T was if the trusts IM&T department did not meet the audit requirements for low level admin access to central systems or wanted to run their own (expensive) exchange setup. Which is sort of bourne out by having a network insecure enough to get written off by wannaCrypt.
Searching questions ought to be asked of these trusts as to what is going on, but they have so far gotten away scot free.