They knew they were vulnerable because they had been hit before. Many times.
While everyone is busy being “shocked – shocked! – to discover that ransomware is real,” it turns out that NHS hospitals have been getting hit with ransomware for a while. NHS cyber attack: Doctor who predicted hack says scale makes him ‘worry about who is behind it’ | The Independent
“From a Freedom of Information request we know that over one third of NHS trusts have admitted to being hacked – but [in the past it seems to have been] individual organisations [targeted].”
So a third of your organization is hacked over some months, and Microsoft – and the whole of the cyber-security industry – starts yelling in March of this year that you need to update your systems or be in even worse stead, and you do nothing. (Exactly what would cause you to do something?)
Corporate IT departments will tell you that they can’t upgrade their systems every month. (I know I used to work in those departments, though I was never the one saying that.) But I update my system every month. And LibreOffice, all my browsers (I use several over the course of a week) my Kindle for PC app, Spotify (which is usually playing music in the background), games, etc. ALL continue to work. If your in-house applications don’t work across a security update, you are doing something REALLY wrong. And you should figure out how to stop doing that.
And then they launch into the “cost” of this attack, in terms of the impact on patients.