Re: Seems you can't win.
They don't need to get it right. They just need to be able to cause some havoc.
Seems the NotPetya crims were unable to decrypt drive contents after victims paid up. Never mattered to them, they still got paid.
Suppose they'd used a known vulnerability, but only managed to infect and severely disrupt (=shut down) one hospital in a hundred. That's still a terrifying prospect if they attacked a thousand of them. Worse still, the remaining 99 would still be infected to some extent, possibly disrupted, potentially having a lingering latent threat.
The only real problem for criminals is developing a business model that would allow them to extract money from such an attack. If there's no benefit*, there's little likelihood that anyone is going to do it just to cause havoc.
*) Allowing for a scenario of an attack gone out of control by an arsonist firefighter, some hacker with a grudge or somebody on a vendetta against the medical system, but I don't think these are likely, or we would have had them by now.