Re: Great analysis - thanks
The vast majority of affected systems were corporate, not personal systems. These end up being maintained by corporate IT departments, which usually don't automatically patch the desktops.
This is usually because they need to ensure that any patches released will not prevent software used by the company from working. They'd want to regression test it before rolling out the updates.
This all sounds reasonable to a degree, but you get cost saving measures whereby corporate IT department's use a static patch deployment cycle of their own (maybe every 6 months) rather than every time an update is released. As such, security updates can go many months waiting to be deployed in corporate networks, increasing the level of vulnerability to pretty much every type of Malware.
The solution of this is for corporations to change their procedures. Interim security patches like the March patch doesn't require batch regression testing as they might when a large feature patch is released.