Heterogenity may sound nice, but if I have x different systems, it multiplies the number of vulnerabilities too. And of course I would need staff, which knows this systems very good and is able to test / patch them.

I guess there a a lot of small and medium shops out there, who will patch their Windows systems regularly, but runs a 5 year old unpatched Linux server which will be never be touched, because it is too risky to break it (when applying all outstanding patches) or because nobody in this shop knows Linux well enough and because it just runs.