Against a bandwidth consumption attack, patches to the machine that is the ultimate target of the attack are ineffective, but patches to the machine that would form part of the botnet are effective.
A firewall would take care of that.
Such a firewall would have to be installed at the ISP. Otherwise, the attack traffic sent by your unpatched, Internet-connected Windows PC would congest a subscriber's link, keeping legitimate traffic from getting even as far as the firewall. In addition, if the firewall is vulnerable to other attacks, your unpatched, Internet-connected Windows PC could be used as an amplifier to attack it.
I know of no IoT devices or any significant number of non-PCs that run Windows.
That's not the point. Your unpatched, Internet-connected Windows PC could be used as an amplifier to attack unpatched non-Windows non-PC devices that cannot be patched for some reason.
That is called "blaming the victim".