@GossiTheDog No critical infrastructure should run 3rd party services that perform unsupervised automatic remote updates. The OS is irrelevant.
Also, not every server needs to have ends point protection. (For example, the kiosk displaying arrivals and departures.)
@tob almost all cyber insurance and regulatory standards say the exact opposite of your toot.