A bigger NHS budget wouldn't solve the ransomware problem, no

Some to many NHS trusts have found their computers encrypted, locked and held to ransom. Pay $300 in Bitcoin to... or else. At which point the usual and entirely unsurprising insistences that if only the NHS had a bigger budget then this would not have happened.

And that's not in fact true. But, of course, it is being said:

The ransomware attack is all about the insufficient funding of the NHS

No, as ever, this is not about the amount of money, this is about how the money is spent:

“The problem is that the old IT systems were never designed to withstand the forces now ranged against them,” Moores said. “You may note that US hospitals haven’t been so badly hurt if only because they have the money to use more up-to-date systems rather than coax older systems to keep going.”

No. Again, it's how money is spent, not how much there is.

Yes, there's that interesting side issue that the NHS used to pay Microsoft for support on that outdated Windows XP and then decided they wouldn't. But that makes no difference here as the company didn't release the necessary update to anyone until this attack had already started. Why should they, they announced they wouldn't be supporting this any more some years back.

No, our problem is that the NHS is a government system, those American hospitals are not. And the one thing that governments really aren't good at is maintenance. Anyone with any experience of the Soviet block in its pomp knows this.

We've even tried lavishing fortunes on NHS IT and it didn't work well.  Some £12 billion spent and by some reports not a single usable line of code resulted - possibly an exaggeration but still. And IT spending in the NHS is increasing at a reasonable clip, ahead of inflation at least.

Computer security is maintenance by the way. You don't need ribbon cuttings on masses of shiny new kit, there are no grand projects to announce, no one does stand up in Parliament and detail how 10 web monkeys upgraded 500 PCs yesterday. Which is exactly why a government run system ends up splashing £12 billion on nothing and spends nothing on security maintenance.  

It's entirely reasonable that the NHS runs on an old operating system by the way. There is so much sector and function specific code out there that upgrading would both be hugely costly and really not worth it. But money does have to be spent upon security maintenance, that one thing that a politically driven and centralised system never is any good at, maintenance.