Well, duh..
.. if 30+ years of persistent security problems from MS-DOS 3.30 upwards have not given you a hint that security is exactly not a Microsoft strength, then nothing will.
The arguments why don't matter much, the facts do. If your business depends on Windows, consider every terminal a risk and spend accordingly on security. If you don't, you'll become another statistic.
It's exactly all this work and elevated risk that is carefully kept out of any TCO calculation. If the calculations were indeed done for the Total cost of ownership (i.e. including labour, risk management, lost time, peripheral efforts required to shore up security, resources taken by the incessant patching etc etc etc) the picture would not look so rosy for Microsoft.
Thankfully there is at least the golf course to bypass all that.
Biting the hand that feeds IT
