It's not just about the vulnerabilities themselves.
Let's take the current scenario: you've got a large health entity using scores of machines with an extremely old, outdated, and out-of-support OS. Part of the reason is
a) The software doesn't work on the newer OS
b) Cost of upgrade
B may or may not apply depending on the hardware involved, and is probably roughly equivalent exempting the cost of the OS itself. So let's look at something on a Linux system. Yes, I have software that no longer works on newer Linux versions. SystemD was actually a fairly big nail in this coffin as it changed parts of the underlying system. BUT, all those parts are visible to the user, and there exists at least the possibility to tweak stuff in the OS to get it to work. Make the actual software also OSS and your ability to get updated is that much better.
Now down to the OS itself. Many users were dependent on Microsoft to release a patch for their old OS. For XP, 2003, etc users MS actually came through pretty nicely on this and provided a patch. Win2k users were still out of luck. In Linux-land, the code of the underlying OS and most of the software is available. If it's a matter of fixing a bad call, it's again possible to self-service or at least hire somebody to rebuild it.
Now to the source of the attacks. A known vector used by the FBI. Along with that playbook comes a slew of vulnerabilities that make it hard to believe aren't deliberate. Again, in a closed OS you don't know one way or another, nor do you have the ability to audit. In FOSS there may be vulnerabilities, but there's also much greater audit-ability.
Does Linux have vulnerabilities. Of course. There's heartbleed and numerous cases of broken or buggy crypto. The thing is, these also get fixed in a fairly timely manner, and with a good patch/vulnerability management you're not so much at the mercy of a vendor to do so.
The funny part though is that even for windows, it looks like disabling File and Print Sharing components kills off the components the vulnerability needs (remove F&PS, port 445 goes bye-bye), and there was probably NO NEED to have those enabled, or even installed on most of the machines in question. It was there by default but had the machines been setup properly it would have been disabled, at least removing the one vector for infection.