"How about just appying security critical patches in a timely manner? or am i missing something?"
Part of the problem is that the patches tend to break other things... and make the system unusable.
So, do you want a useless MRI machine with a patched controller...
A usable MRI machine with an unpatched controller?