Re: How Long?
"Would it not be simpler (and cheaper) to standardise all IT equipment across all NHS trusts directly from Whitehall? Think how Maersk dealt with NotPetya, by replacing all servers and desktops/laptops."
Either (a) Maersk had a very small variety of tasks for their IT estate or (b) they didn't update anything with a very specialised control function.
If you look at the NHS you'll find a lot of machines that could be updated to a current version of W10 and a lot running lab and other diagnostic kit that depend on specific drivers that either aren't going to be available for W10 or possibly not for the H/W on which W10 will run. Identifying those that couldn't be handled like that will not be a trivial project.
But take it a step further. If a lot of PCs are simply running office suites, email and browser why not introduce extra resilience? A monoculture of Windows PCs of any single version could be taken out by an exploit of some zero-day*. So for such tasks add a mixture of Mac, Linux and xBSD, say 25% of each, to minimise that risk. And Linux and BSD for servers.
* This also applies to Maersk of course. They may be protected against the last variant of NotPetya. But what about the next?