It's interesting to note that the 3 most destructive bug-exploiting worms of recent time all attacked security vulnerabilities that a fix was released for two to four weeks earlier. This suggests that even these worms really targeted people - in this case, the inability or unwillingness to keep the software updated. Two of these worms targeted servers, so inability is not an excuse. Only Blaster attacked consumer systems. MS reacted to this worm by enabling automatic updates by default in subsequent updates.