The problem can go like this: Every time we get a fix from Microsoft we have to read 15 pages of guff, do a trial run with a dummy server, and backup everything. One time we had to run without our server for two days while some graduate comes in to scratch his chin furiously and ends up rebuilding the system from...
Software updates are usually pretty innocuous, until you have so many of them to do, you lose track of them.
We do not do updates. We do not run Microsoft SQL server, so the latest attack completely missed our operation. That is not to say that if you do not run Microsoft you are immune from attacks. Far from it. It is easier to write software using Open Source, and the same goes for viruses. There are plenty of tools out there. They work just as well to write infiltration software on any platform. But we keep hearing that users have an "obligation" to apply software updates and fixes and the failure of users to do so is the cause for a lack of security.
We contest that idea. We believe it is stupid to apply fixes, and makes a business a slave to its computer system.
It is cheaper to run secondary systems, but M$ licencing makes that a little difficult.
To upgrade Linux we just install a new boot disk and copy the file systems over. Up and running usually in a morning. To make a system backup, it is just one command and then your entire system is archived. It is easy for programmers to do their job. They do not have to read 16 pages of deadly boring guff for a start...
Time to consider a Linux installation.
