One of the implications of Steve's advice is that if you are a Windows shop, your firewall and external security solution should be based on Linux, and you should invest as necessary to maintain it. If your are a Linux shop, your security should be Windows. Exploiters tend to have expertise in one or the other, rarely both. This one measure will knock out virtually all of the opportunistic exploiters, leaving you to deal only with those who are targeting you. As for having systems around the operation unpatched because nobody knows and everyone is afraid to touch it: this is just unprofessional. Raise your bar.