Eeeeh....99% right.
I've done a lot of ransomware cleanups (I changed my name by deed poll to Mr Plan B, because I found myself helping a few businesses out when their sysadmins failed).
There was a ransomware strain that came through a remote desktop vulnerability and another that used an SMB vulnerability. I've also see malware come through MSSQL too.
It's usually users, but not always. Sometimes it's wanky sysadmins. By wanky I mean unassertive...you don't highlight an issue, get refused money to fix it, then leave it because "muh budget". You lock it down to fuck until the CEO has the problem land on his desk.
When the CEO starts losing time, budgets magically appear.
My favourite is scheduling a meeting to discuss backups and suggest a test and highlight the amount of downtime required (even if there is none, tell them half a day "just a precaution").
Nobody cares if you're wasting huge amounts of time backing things up, but everyone cares when you're wasting their time testing it.
Remember kids, it's rare to be fired for doing your job right and being an inconvenient arsehole isn't an exclusive privilege reserved for CEOs. As IT guys we can throw as much weight around as they can.
If you need more tips on handling your boss, read some Dilbert.