What usually happens is something like the following: you have several Windows PCs on a LAN. One user on the LAN decides it's a good idea to open the quarterly_results.xlsx.exe attachment that came from the company's Nigerian branch. Or maybe they're curious to see what's on the thumb drive that somebody 'accidentally' left in the restroom. Every organization from the grocery store on the corner to the NSA has someone working for them who will think that's a good idea.
Now you have an exploited system inside the firewall. If any drives or other resources are shared among computers on the LAN -- which after is the whole idea behind a LAN -- the machines hosting those resources are at substantial risk. Even something as harmless as a shared printer can serve as a staging area for attacks.
This is why compromising Windows Update to turn it into a marketing vehicle was such a monstrous thing for Microsoft to do. Giving users an incentive to turn off automatic updates was just incredibly stupid and counterproductive. But they did it anyway, because, after all, "We're Microsoft. Who's going to stop us?"