That is 100% the truth. Slowly, very slowly, companies are starting to try and improve the cybersecurity posture proactively. Most though are still in a reactive state where they don't do anything until something happens. End users are even worse, you see people all over who just never want to update anything, ever, and view it all as some major interruption to their work.When I worked for various cypersecurity companies, sales guys used to say that corporate customers called only AFTER they got hacked badly.
So I am all on board with forced upgrades of end-user shit. Heck I'm even getting that way with enterprise stuff, because some sysadmins can be jackasses. Patching OSes and applications are 2 of the ACSCs Essential Eight, which are 8 things that if a business does, they are going to stop cold 90%+ of cyber attacks.