Honestly, windows out of the box is pretty secure. I don't want to defend Microsoft here, but adding third party security to Windows hasn't been anything but regulatory compliance at best and cargo culting at worst for over a decade now. If you actually look at core windows exploits compared to market share, they're comparable to Apple. Enterprises insist on adding extra attack surface area in the name of security.
I agree that people who actually know what they're doing are generally running Linux backends, but Microsoft have enterprise sewn up, and this attack is not their fault.
A lot of active directory defaults are wildly insecure, even on a newly built domain, and there are a lot of active directory admins out there that don't know how to properly delegate as permissions.
This is true. You are basically one escalation attack on the CFO away from someone wiring money to hackers and a new remotely embedded admin freely roaming your network.
I agree that people who actually know what they're doing are generally running Linux backends, but Microsoft have enterprise sewn up, and this attack is not their fault.