Survival of the fittest
> organisations within the NHS that were running unpatched versions of Windows XP but did not get a single infection because their machines were safe behind their network
Overall it seems that about 20% of NHS Trusts were affected by this attack. It would seem reasonable that those were the ones with the least well run IT systems. While there would be some "good" trusts in that number that were just unlucky - and some badly managed ones that lucked-through, generally poor security is a sign of bad management.
So while there will undoubtedly be platitudes and "lessons have been learned" press releases, there will just as certainly be more attacks in the future and more badly run trusts will find their systems get breached again.
The only real solution would be to have an outside body review the incidents and decide which ones were due to bad luck and which (i.e. the rest) were due to incompetence. And then to take severe action - given the number of guidelines, warnings, alerts and processes that are supposed to stop this sort of thing happening in the first place. Severe action, that recognises those incompetent trusts simply don't have a senior management: both IT and general management, that is up to the job of running their IT systems.