@Fraser
Yes all those process set up things are necessary and need to be done properly, and some of them have not been done properly in the case of Stuxnet. But on their own they are not *sufficient*.
Like it or not, Windows has to go, from places where IT don't go. IT don't do factory automation, IT don't do electronic lab equipment, IT don't do hospital medical equipment, etc. Why should these people have to do IT's job for them ?
"if all your programmers program AIX, you wouldn't buy Windows or VMS,"
If an application's requirements call for AIX or VMS, and all you've got is Windows people, then Windows is still the wrong answer. Picking the right tool is the answer.
If you want a hedgecutter you don't buy a lawnmower because there's only lawnmowers in your company's chosen shop do you? Do you? Sensible open-minded people find another shop, perhaps a rental shop if it's only an occasional job, and use the right tool for the work at hand. Even if they're very nice lawnmowers, advertised on QVC and marketed on The Garden Channel, a lawnmower is still not a hedgecutter.