We have a largeish number of systems that IT declared catheorically could not connect directly to the Internet for any reason.
So guess what systems weren’t getting updates. Also guess what systems got overwhelmed by ransomware that hit what would have been a patched vulnerability, that came through someone’s laptop that was allowed to connect to the Internet.
My department was fine, because we broke the rules to get updates.
So did network team admit the flaw in their strategy? No, they declared a USB key must have been the culprit and they literally went into every room and confiscated all USB keys and threw them away, with quarterly audits to make sure no USB keys appear. The systems are still not being updated and laptops with Internet connection are still indirectly bridging them.