There's two sides to this. There's a "just patch" religiosity that ignores the practical difficulties of patching. On the other hand, it's been over 15 years since you learned that you shouldn't be putting systems on the network that are difficult to patch.

https://twitter.com/cnoanalysis/status/1140656658831380485

You can't patch that medical device with RDP exposed, and frankly, you can't even scan the network for fear of crashing medical devices. I understand that. My question is why the hell you've been buying medical devices for the past 15 years that can't be patched or scanned.

In any case, your chief threat from an RDP worm isn't unpatched RDP so much as mimikatz/psexec infecting patched system that aren't even running RDP in the first place. That's the lesson notPetya taught us.

If you are a typical organization, you patched 90% of vulnerable RDP systems, and the remaining systems you probably don't care about, like decommissioned VMs that are still running that you haven't bothered to turn off.

But that old VM has a domain admin logged in, so once it's credentials are stolen, all computers in the domain are infected, moving on to other domains with trust relationships, and now your employees get a free month's vacation as you attempt to restore your business.