Not entirely correct..
More software isn't the solution to things like this.. (Sandboxes can be bypassed, signature-definitions are always outdated when they are needed, etc..)
The current ransomware hype is a good reminder that you should -NEVER- open attachments (or click links) in emails from people you do not know, or people you know what you do not expect emails from.
Every time my parents or siblings ask me about things like this (had a call from my Mother today regarding what the news were hyping about the end of days on the internet and whatnot thanks to this crypto tool.) I repeated the same mantra I have always told her, and them.
Never trust anything you read or receive on the internet. If you do not expect to receive something, it is false. If you suddenly get an invoice but you haven't ordered something, delete it. If someone on your friends list suddenly sends you a message in a different language with an attachment or a link that you do not expect to receive from them, delete it. (Also, you never win, nothing is free, etc. etc etc..)
The ransomware that hit Russia and the NHS for example (which according to earlier news reports had several thousand XP computers) could maybe have been avoided with a good Software Restriction Policy (course, it would only take one infection to hit the entire network, not sure if SMB1.x could be killed on XP?) combined with an email filtering/proxy for outside access. As from all the information I've read is that it was received through an attachment in email - assuming it was an executable. Chances are that they, if they were running Windows XP also had outdated versions of Java, Flash and Adobe PDF reader on the computers - so there are several tasty targets to attack, not to mention vulnerable browsers allowed to access the "full" internet, no ad-filtering, waterhole attacks etc.
Has there been any reports on what the initial compromise situation was, and if it was email, how it was formatted? I.e. If it is a typical "worm" attack which attacks at random and spreads by itself, or was it a tailored attack towards NHS where the email would appear to be something related to what NHS work with. I would think that most major crime kits already have a module for MS17-010 so you can get it by just visiting the wrong web page (like BBC or New York times, thanks ads!) and get it that way as well.
Regardless, anything software to mitigate or prevent incidents would take funding and a lot of time. They must have a XP replacement underway, but it is unknown how much time they had spent on "stopgap" measures such as VDI and hardened network solutions to reduce the impact of any infections. Surely they have been working on this for years already; or have all the money gone to stuff like this? https://www.theguardian.com/society/2013/sep/18/nhs-records-system-10bn
I guess network infections like this could also be blocked with some decent network surveillance software (again, funding) to detect anomalous traffic/processes and mechanisms in place to automatically quarantine computers / part of the network that exhibit these processes. Think water-tanks on the Titanic. but again, Funding.
If the internal spread is related to SMB 1.x, surely this is reliant on the "Server" service on Windows XP, which if I remember correctly can safely be disabled while you retain "Workstation" service to access SMB files on network shares (Cant remember the dependency between those two services)? Thus you would not be remotely infected by this worm, you could only infect unpatched servers (and crypt anywhere you had write access) if you yourself launched the cryptokit. So, everything would've been avoided with configuration of software they already had. - Given resources to do so.
I guess they'll blame the lack of money on the EU.