The vulnerability used by this worm could have been mitigated by disabling SMBv1, hardening the machine, network segmentation .. the list goes on. If you couldn't patch, you could have still prevented this worm from impacting you organisation.

It's a case of inadequate security management and negligence.