Depends on the mix between clienty boxes and servery boxes.
Me? Id put all client boxes onto a simple web browser, update all client applications to be HTML5 based.
Id guess that would get rid of 75% of the headache.
For any forms-based operation, there's no reason why current applications cannot be moved to HTML5.
Windows clients and the whole USB sticks and unvetted access is just too much of security hedache for me.