First of all, let me state that most of my machines are Linux, or BSD. I find the whole panic over WCry absolutely hilarious.
Something like OpenBSD, but less stringent:
First-tier is average OS support - six months support tops, after that, you need to upgrade. You have version 4.3 while the latest version is 7? Tough luck.
Second-tier is emergency OS support: 12 to 18 months support tops. On a specific version (meaning fubar 6.0 but not fubar 6.1 for instance ), only back-port of the most critical patches to base system.
Every 5 years, for embedded and ultra-secure needs, you get an ULTS (Ultra-Long Term Support) version, which is going to be supported - provided you sign an annual support contract with mucho dinero - as long as necessary, including backporting patches from the newest version of the OS, but only for the base system. Anything extra you add to that base system is your responsibility.
The issue here really is pretty much the same as an "Internet of Things" issue: please, dear MegaCorps, use a nice, updated AND SECURE DEFAULT CONFIGURATION for your freaking products - no, Windows XP is not nice, updated and secure out of the box, and neither is Linux if you open 200 ports and services with "admin" and "secure" as login and password, respectively.
On a more general note, if you use Windows within your product, I don't care what that product is, you are asking for trouble.