"It is a situation where MCSEs had no idea that there is a fundamental vulnerability in IIS and ISAPI mapping and so had no way to protect their systems other than after-the-fact patching," said Paller.
You know, security aside, why don't these MCSE's keep an eye out for patches to the software, on general principles? Yes, it's a pain to monitor and install all the patches. But that's Windows.