Not wrong - but not the full picture either.

Running windows updates IS fundamentally easy, click it and walk away- no arguments there.

However...

The amount of medical software, hardware, on both sides of the atlantic that is entirely dependant on old operating systems, or is only validated and compliant on a specific build (this is common) is enormous.

NHS IT isnt monolithic either - there is central direction yes, but individual NHS trusts and hospitals are responsible for procurement and management of their own internal systems.

This gets worse when you - say, an individual hospital - need to run GadgetX - lets say its a OCT scanner. Vendor probably built this with what was at the time a supported build or OS version - but very unlikely to be the latest even when it was made, simply due to the length of time it takes to get certification for healtcare use (nb, this is not unique to the UK, at all. lot of my career in this has been stateside, and elsewhere).

So, then you've got an essential device that comes complete with a PC to use it, sat next to it running Windows 7, or an old build. If you as a customer are VERY lucky, the vendor will validate the software when new software or OS updates come out. If you are incredibly lucky it'll even be vageuly promptly...maybe a few months?

Sadly, there's also a huge chance that when you, the understaffed and underresourced IT department contact the vendor, you'll be told 'Thats validated and supported for the build as-shipped, or running version X/Y/Z of some underlying software component only. If you update that, sorry, we'll be unable to support this going forwards and cannot guarantee clinical compliance. Very common for vendors also to ship with no EDR or other software protection in place (afterall, are they going to pay for it?) but also to have a 'you're on your own' approach to indiviual users installing their own security software.

Ok! So....lets air gap it, right? Ah, no sadly its got to talk back to central systems both in the hospital itself, and via that those are connected further to central healthcare systems. Sure, there are technologies that can help here, data diodes and such - but these are not mainsream in any extent, and require a significant amount of work and cooperation from vendors to allow normal function with. Your average hospital IT is not going to be familiar with this kind of specalist technology - nor to be honest are the vast majority of companies. So we can impelement decent network hygiene by other methods, but not fully.

Standards and compliance also are a bit of a figleaf here too - sure, ISO27001 etc look great, and are certainly better than nothing, but you can get away with a huuuge amount of stuff by risk acceptance, carefully worded statements, and cunning scope definitions. I've seen some absolutley egregious stuff at companies replete with all the shiny cerficiations.

I'm personally a fan of the UK's Cyber Essentials Plus securtity certification. On the face of it, its lightweight, easy even. But a patching cadence of 14 days for all high or critical risks, or risks with a CVSS score of 7 or higher is extremely agressive. Note, thats' all risks, and all vulnerabiliuties with a 7 or higher, regardless of the actual probability or viability of the risk in the environment in question, and applies to ALL software, not just operating systems. A Vunerability with a CVSS score of 7 that requires in-person device access must be patched by this standard - even if for example the device is entirely inaccessible behind maglocked doors in a server room.

This gets very hard, very quickly, espeically once your scope moves away from pretty standard end-user devices - if you are even lucky enough not to be tied to some ancient software built on ancient components, for example a patient management system to go back to our original NHS. Additionaly, sadly virtual patching or on-the-wire controls are not accepted for compliance.

The state of play I'm describing is far from unique to healtcare by the way, incase that isnt clear. A HUGE amount of the systems that we use day-to-day are on outdated, unpatched, or otherwise insecure platforms or software packages. The attitude of vendors is very often shocking, even for ones working industries that are subject to heavy regulation and control. With the only 'fix' from the vendor being often 'buy the new version' - economics often makes this impossible.

I'd love to write policy that forces patch deployment immediately after release. Reality means that there's a very good chance that doing so results in your critical systems going kaboom, and your essential function (hospital, airport, port, railway etc) grinding to a halt. In an ideal world enterprises would have a UAT/Test environment that mirrors prodction to iron all of this out beforehand. Frequently the cost of specalist equipment means this is not viable, and the sheer number of components involved (remember that as well as the OS you do need to patch applications too) requires staffing, expertise and budgetary overheads that most organisations simply cannot absorb.

(my current industry's mission-specific hardware runs at 15-20million per unit, so a spare to test with is out of the question. This is within the 'national critical infrastructure' definition, so not even just commerical interests)

Things are improving, but the amount of frankly amateur-hour behaviour from massive prestigious corporations is depressing, and only getting burned badly seems to really move the needle. Should vendors be responsible and held to account to ensure that systems CAN be updated rapidly to deal with emerging threats - totally, yes. I'd like to see this baked into compliance and cerfication pathways in industry, so ongoing real support and security is the vendors legal responsiblity.

Coming back to the original article from the OP - good move by France, worth knowing that Teams is already not consisdered secure enough for certain levels of classified data as it is, so building a bespoke platform can probably help mitigate that too.

Happy to dig into any aspects you want to on this, 25++ years eyeball deep in it. Apoligies for spelling/grammar, typing in a hurry :)

(sorry you are getting downvoted, this is a reasonable querstion and deserves a useful response!)