If only it were that simple to put it all offline. Virtually everything and it's dog insists on being internet connected to register or update. Firmware updates via serial lead need a regular laptop attached to deliver the update. Cue, vulnerability. Outputs of control systems and measures have to be broadcast somehow (typically a serial.comms format) and interference is possible in between).
I have in the wild seen malware modulating the CPU fan speed to send audio signals to microphones on less secure hardware, so airgapping is not a defence against stealing data.
Microcontrollers aren't going away in utility environments, but securing the Comms loop is an incredibly difficult challenge. Imagine if you own 500 installations all over the UK, all built to different standards that applied on that given day, and you aren't funded by the public to refresh all that equipment regularly.
There is something to be said for electromechanical relays manned by staff, but then you have the permanent staffing overhead instead. Counter to the never ending cost challenges posed by Ofwat, Ofgem and other such bodies.
A/C because obviously, I have some knowledge of such environments. I will reiterate that the funding to do what is necessary isn't strictly there. someone determined, probably could get in, eventually.
See Black Energy in the Ukraine for examples.