Imho the probem lies with the attitude that we'll be safe if we tick all the boxes... Latest OS, AV, update etc. Utter nonsense. No amount of OS updates or AV will give the slightest protection, if you are among the first to be targetted when new malware is unleashed.
Now, I understand what you mean, but in this instance, this situation was entirely caused by a lack of updates. The ransomware strain in question makes use of MS17-010, a vulnerability that was patched over a month ago, to spread between Windows systems. In this case, if the NHS had been using a modern and up to date OS,
this would not have occurred on the scale it has.
While this is not true for all strains of malware, this specific type and strain has many proven solutions to prevent it, including solutions from many AV vendors, and even included in Windows Defender on newer OS builds such as Windows 10.
Encryption is no real defence, as vulnerabilities will be found that allow it to be cracked - as has always happened, and always will. Conduct your business on the assumption you will be successfuly attacked, just plan for dealing with it. And don't be surprised when it happens, regardless of any assurances you may have been given by highly paid 'security specialists'.
I do agree with you here. Encryption is not a defence, it is simply a measure to reduce the damage once an attack has occurred. In this situation, no amount of encryption would have stopped the ransomware spreading, but in the case where the data was stolen, it would have prevented access assuming the encryption keys weren't also stolen, and that a good algorithm was used, such as 256 bit AES.
Vulnerabilities will always be found in systems, and OEMs will always do their best to patch them if they are found before they are exploited, but in some cases they are exploited first. Ensuring systems are up to date is still a key step to ensuring systems are kept secure, but yes, you still have to expect that you will be attacked successfully, otherwise you risk much harsher repercussions, especially with the EU General Data Protection Rules coming into force soon, with their much harsher penalties.