>You could have no security and just get lucky and never get hacked.
It's been a decade and more since that was even remotely true (if it ever was). Back in 2008 the average survival time of an unpatched internet facing XP box was around 4 minutes [0]. Pwning an unpatched XP box was (very marginally) harder than pwning a system with no security at all. The Morris worm (Edit: which is heavily mentioned in TFA, my bad) [1] got loose in 1998. There's some interesting stuff regarding whether such risks are comparable with things we use insurance to hedge at [2].
>>Back in 2008 the average survival time of an unpatched internet facing XP box was around 4 minutes [0].
Yep. And that's just the average. It was much, much lower for high-value targets, such as universities. The first thing we did at my Network Security class back in 2006 was to hook up an unpatched XP machine to the Internet. It got pwned in about 30 seconds.
What I don't get about this is how the new system is discovered in the first place, assuming the attacker is not already on the network. Sure, gain fast access, but why would you let the traffic on to the local net to discover the machine (except for examples). I can see a box stuck on a home connection getting pwned quick, but surely a Uni network would be blocking rdp traffic, or external pings, or whatever it was that was being used to find and pwn XP computers so quickly??
Wouldn't multiple attackers have to be effectively flooding the network with pings or service/port access attempts to find a new computer so fast?
At that time? At a university? No. You typically got a public IP address via DHCP and there was no firewall at all. Even today that's still pretty much the case, though a new device is probably assigned a non-routable address until a terms of use agreement is clicked.
It's been a decade and more since that was even remotely true (if it ever was). Back in 2008 the average survival time of an unpatched internet facing XP box was around 4 minutes [0]. Pwning an unpatched XP box was (very marginally) harder than pwning a system with no security at all. The Morris worm (Edit: which is heavily mentioned in TFA, my bad) [1] got loose in 1998. There's some interesting stuff regarding whether such risks are comparable with things we use insurance to hedge at [2].
[0] https://isc.sans.edu/diary/Survival+Time+on+the+Internet/472...
[1] https://en.m.wikipedia.org/wiki/Morris_worm
[2] http://limn.it/the-morris-worm/