I wanna tell you something that happened to me. I have a network populated by Windows XP machines, all patched and with Avast and they are all connected to internet and they use it on a daily basis for any sort of stuff. There are other machines in the network that are running other OS like Fedora Linux with Nod32 antivirus and Android with Avast as well. Last but not least, there are virtual machines with Win10, Win98 and other versions of Windows for testing purposes, but they are not accessible from the outside world. Recently we decided to setup a test bench in bare metal, running Windows Server 2019 and connect it to internet and the outside world. We've got an email from the ISP stating that one of our machines has probably been compromised as it has been used in an attack. Later on, we found out that the attacker managed to get access to the machine by using a vulnerability in the RDP protocol of Windows Server 2019. The machine had all the latest updates installed, but no antivirus or firewall other than the default Microsoft ones (it was a test bench after all). It's funny how someone who attacked a network full of Windows XP machines just ignored them, went straight to the one running Windows Server 2019 and managed to compromise it...
It surely makes you think...