Yes they do, because ergonomics require decent keyboards, screen and mouses. They may not need fat clients and would be off just as well with thin clients, but laptops or that form factor do *not* replace desk top systems since they still need the keyboard, mouse and screen and will essentially be used as a desktop almost all of the time.
They need access to their individual applications and data too. While it may be possible migrate all those to web applications or some client-server model, I doubt Turin has managed to finalize that sort of thing yet. Most EU cities have over a thousand custom applications that often run on antiquated proprietary systems and they will still have a burden of those for a long time.
Getting people the cheapest computer possible sounds like an easy way to save money, but in the end the price of the hardware is only a fraction of the costs and often the extra costs incurred by buying cheaper will make it more expensive. Starting with migrating just the desktops to linux and running the proprietary cruft on things like Citrix servers will save them a lot of money without a significant down side.
Oh, because they're not running windows, they can probably use their older systems a bit longer too, if electricity costs don't make it cheaper to upgrade anyway to more energy efficient devices.
Why would these "Russian criminals" be the ones behind this attack? Sure, some company that used the argument that there seems to be a list of over 1 billion accounts floating around on the internet to sell their services some time ago. It may even be that this list was found for sale on a Russian market place. It may even been that there are actual Russians selling this list. The accounts could even be mostly real, although probably most of it will be relatively dated.
But why would that same group of people that are actively selling this list be the same group that is using it? It makes much more sense that some group that bought part of this list, or bought some other list, or has their own trojan to steal passwords is now attacking namecheap. Unless there is substantial evidence that the same group is behind it, this is just FUD and sensationalism.
Namecheap is under attack with what's most likely a brute force list with accounts that were compromised in some yet unknown way. I think those are the facts and the rest is purely speculation.
While you have a point, you shouldn't forget the Raspberry Pi. It is probably the most popular internet facing non-mobile ARM platform today. Literally millions of these run glibc and at least hundreds of thousands are in some way or form directly connected to the internet. While I don't believe that this bug can be exploited without first gaining RCE on the raspberry pi, once an attacker gets access to the rpi, this bug should be able to get them to escalate to root privileges.
There are quite a few people that put a full debian (or other) distribution on their NAS server. I own a zyxel NSA 325 and it is possible to install a full debian release on this and some other NAS boxes. These might be a limited amount of systems overall, but it's significant enough to deserve mentioning because they too often are internet facing.
Sendmail is historiy just as bind is history. Sendmail uses m4 for it's configuration files (you shouldn't edit the "compiled" stuff), so it's not sendmail that is culprit here. Bind is history because there's powerDNS now. Exim and samba aren't a mess, but they do use "text files" for configuration.
Anyway, they all use a standard, since it's human readable ascii. It may be obscure since there isn't much if anything that uses their format apart from themselves, but it's a standard. You could argue that all these apps should standardize on XML, but then you'd have all the tags that need to be standardized too. Going for binary files means humans will need extra software just to edit that and machine generating those will be harder too. The Windows Registry is a mess if I ever saw one and after about 20 years it's such a myriad of patches and additions that it's hardly managable.
Standards are great, which is why everyone invents at least one new one. Pushing very different requirements into one standard usually makes it either too crippled to be useful or too bloated to be maintainable. Maybe it's you that needs to find something else to do if you can't muster up the energy to deal with these inconveniances anymore. There will always be incompatibilities and annoyances if you have to deal with technology so either put up or move on.