Any network will get malware on it eventually. Some networks get malware on them a lot more often than others. These things are not contradictory.
Any system will lose data permanently eventually. Some systems have no backups and therefore will lose data permanently more often and in a more damaging manner. These things are not contradictory.
The most sophisticated attack will eventually get access through a very good security system. A good enough security system will block less sophisticated attacks. These things are not contradictory.
Some of this is about doing the job well. Ransomware can be prevented more often by employing security measures that make it harder to install. While it can't be prevented in all cases, the risk can be reduced. If ransomware does strike, it will be debilitating, but if there are good backups, it will lessen the cost of fixing things. A sophisticated attacker may manage to infect the backups too, but it's possible to avoid that. Therefore, it is justifiable to say that a place with local admin rights for everybody and no backup system has failed to do its job related to security. We're not being sanctimonious any more than you would be if you told me not to leave the keys to my car in the car and then walk away. It's a precaution they have to take and they didn't. This doesn't apply to everybody, but you'll find it applies to a lot of them.
Biting the hand that feeds IT
