Who pays for it? Us
Remember that we pay MS for the Windows licenses. Then we pay for the IT staff to ensure that the updates don't break the other applications. Then we pay for the IT staff to update all the systems. Meanwhile, we spend an appreciable part of our IT budget on AV systems, Patch Management, all kinds of network protections, etc.
Just so that we can run Word, Excel, Outlook and PowerPoint. Not that these applications are any more secure. And we pay for them too.
What a scam. And we are responsible for our ignorance.
I remember a a presentation by MS Senior VP their Mountain View buildings around 2003-2004 where they touted how many fixes they put out and the effort they were putting into securing their systems. One gentleman politely asked the SVP if Microsoft was going to pay for all the costs required to update systems. The SVP's answer was, "Why should we?" Which either meant that he did not understand the gentleman's question or that he really didn't care about the downstream costs of Windows.