Re: so installing critical security patches
"Some of the computers that run these fabs are stuck on obsolete versions of Windows NT"
Earlier reporting on WannaCry indicated that it could not infect Windows XP, only Windows 7. I assume NT is then also not "supported".
Based on this, I would assume that the infected computers are Windows 7 which means that a patch was available (for a long time). I realise there is always a risk in patching in an industrial system, but as we have learned many times before and now again, *not* patching also comes with a risk.