On the other hand, the likelihood of this vulnerability actually being exploited is quite low for quite a few reasons... Primarily, because it requires that you first install a malicious app and then upgrade to a version of android which actually implements some new permissions...

1, very few users ever update (or even have updates available)
2, manufacturers will sometimes patch android but usually not provide updates to whole new versions and the small incremental patches wont introduce any new permissions
3, now that this issue has been discovered its highly likely that future updates will contain a fix for it, and users are unlikely to update to a version that isnt the latest available for their particular handset, so *if* they can and do update they will be patching this issue anyway.

Linux has 2 advantages here...

1, you have the source code so anyone can provide patches, not just the original vendor. If your shipping out thousands of ATMs you can even afford to employ a few developers yourself.
2, linux is far more modular so you can remove all the crap you don't require - if its not present it doesn't need to be patched.
3, linux has lots of distros to choose from, with varying levels of support.. some of the embedded ones are actively supported for a long time

Why would the banks have to do it? Banks don't build their own ATMs, they buy ready made ones and slap a bit of branding on top...
For the manufacturers of ATMs, the burden of supporting a cut down ATM-specific linux distro is rather minimal compared to the support they have to provide for the hardware and their own application anyway. If you stripped down a linux system to the bare essentials necessary to run an ATM, you'd not have a lot of code running there so there wouldn't be a huge number of patches you'd need to backport anyway. Plus there are other organisations in other markets in the same boat with whom you could share resources.

Have you not looked in access logs or firewall logs? chances are whoever is exploiting this is also actively scanning for it...

What happens if MS goes tits up? Where do you get your compatible OS from?

Having multiple suppliers for something important makes sense, but running single vendor software completely destroys that benefit.

Not only support it themselves, but if they strip the system down to the bare essentials there will be a lot less that actually needs maintaining... Having a load of unnecessary code on your device is stupid, doubly so if you have to keep patching it.

Most businesses don't think that far ahead, at least when it comes to things which are not their core business...
The idea that they would make their business dependent on software only available from a single vendor is equally staggering.

The exclusivity of the trade secrets was not stolen, neither party has exclusivity anymore...
The exclusivity was destroyed, since no noone has exclusivity.

That's assuming the malware is targeting end user workstations... The malware discussed in this article explicitly targets servers, and linux is far from an obscure platform when it comes to servers.

There are many other reasons than lack of desktop users why there is less malware for linux... Linux users are far less likely to be running with admin privileges, linux users have to take extra steps to execute a random binary, linux users are less likely to want to execute random binaries due to the prevalent use of repositories, linux users are generally more savvy than windows users, linux users are more likely to have updated their applications (again due to repositories)...

Also the idea of "security through obscurity" is usually promoted by proponents of closed source, who somehow think that restricted distribution of the sourcecode will prevent people from finding exploitable holes.

Depends wether you can get a job quickly enough.. If you go straight into work instead of taking out several years studying then you will build experience sooner. Of course the situation is different for everyone.

A lot of sites with tough password policies are too self important... Most of the things i'm signed up to online i don't particularly care if they get cracked, and so use weak and easily remembered passwords for them if possible.

Requiring the site name in the password is stupid, anyone launching a brute force attack will simply take that (and any other policy requirements) into account, eg if you know the password policy requires mixed case and minimum length of 8 then you don't need to try all lowercase passwords or anything shorter than 8.

Similarly locking out after a number of guesses is dangerous, that means an attacker who doesn't know your password can still cause a denial of service against your account, and its utterly ineffective against most brute force attacks as they will go after a huge number of usernames using a small number of passwords rather than the other way round.

How are liability laws not government regulation?

Most of the safety mechanisms in todays cars are transparent to the user and do not inconvenience them in any way...

A few KB saved by an end user on a high speed connection isn't much, but...
A few KB multiplied by millions of users accessing a single site soon adds up.
And it's also of benefit to those on slow or metered connections.