FTFY. It's easy to blame it on IT admins, but real core of the issue often comes from incompetent management.
Not to mentioned that patching 1-10 machines is easy, but patching thousands require a bit more being not "tardy".
It's not uncommon for IT guy to troubleshoot or train it's company Sr Manager mobile device basic usage instead of focusing on best practises.
Don't get me wrong, plenty of IT guys sitting on their asses, wasting time, but honestly hospitals, even in US are extremely lacking in even basic IT security with blame falls just as well on shoulders of medical devices and equipment manufactures.
https://www.wired.com/2017/03/medical-devices-next-security-nightmare/