Re: I blame Microsoft
I don't. I blame the network administrator.
SMB is not normally open at all unless you enable file sharing. I would have to check what the default is on recent versions of Windows, but most ports opened by default are not open to the public network. You can't even ping a Windows machine now as ICMP is blocked off default.
However, in a corporate world you shouldn't be accepting any default ruleset anyway. Just look at what your org requires and push out the rules you want with group policy.
Yes, in the past default configurations of Windows were wide open to enable ease of use. This is less the case now. If you put in the effort though you can lock down Windows very easily. You can block off any port you want and only allow permitted applications to run. You can do all this centrally with group policy so there really is no excuse. Start from a model that no user can do anything or access any resource unless specifically allowed by a group membership.
Of course you are still open to zero days and some things just can't be anticipated. This is why you also make sure you have tested backups and a recovery plan. Preferably multiple independent backups to different media using different backup products.
Prevent what you can, limit the damage of anything you cant prevent, then make sure you can recover from any damage. Learn from any incident to improve your future prevention, damage control and recovery.