My approach to IT security starts from: There is very little security. That stands regardless of OS.
I patch everything I can think of, as regularly as I can think of. It is rare that a patch is delivered along with a changelog along the lines of "meh, lol, soz" I'm old enough to remember when the notion of a patch was the only term in play, well before "service packs".
I'm jolly boring and run host based firewalls and router, switch, edge etc firewalls, mostly with point to point rules. Its a bit of a faff and so is completely random and different passwords and targeted MFA on each host. I'm fairly sure it is quite hard to pivot across my land.
The best approach to security is to start with: "Mine is a bit shite" and "I'm probably already compromised" and work from there. In the real world: start with a threat model and work on out. For most people that is avoiding scams and becoming part of a bitcoin farm.
