Short answer? Hospital IT needs expanded beyond that, and any vendor willing to support the very obscure mix of technologies that would cover all of a hospital’s needs (think pharmacy databases and how they have to talk to any other pharmacy, physician order entry systems that have to be able to connect to remote systems like the doctor’s home and office workstations regardless of what they’re running, purchasing and inventory management systems and how those need to be able to be interoperable…) would charge so much for the weirdo, super-custom stuff you’d need (and probably introduce a ton of security holes by accident when making it) to make older tech work for today’s needs that it’d be cheaper to get off-the-shelf and then just pay a security company half that to lock your stack down six ways from Sunday.
If you want to invest the money, you can secure the shit out of Windows and your network. But then you need really strong policies and be willing to spend the money to do so, and need to compete against other businesses for people that are able to build and maintain that kind of environment, all of which is very expensive and very hard to explain to a CEO without a technical background (or a COO that gets 100% of his or her technical knowledge from trade show leaflets, or even more commonly is just taking kickbacks from bargain-basement vendors).
So hospitals will, by and large, remain insecure against a dedicated attacker. Too many attack surfaces, too many 3rd-party systems, too many people with access to all of these attack points. The only systems I’ve seen that are decently locked down are military hospitals, and about 90% of the reason that’s the case is a combination of them piggybacking on the DOD’s economy of scale for security, and them spending a shitload of money to do so because “fuck it, it’s taxpayer dollars”.
