>We are talking about companies that just completely ignore security

Correct, because its costly to even have someone on staff who manages it. Let the IT Admin also be the CISO... and the help desk... and the patch manager... and the hardware department... and software... you get the idea.

Very few school districts could afford a role for a security manager, as the board and parents would prefer the money be allocated to sports, teachers or programs.

Its a challenge to do, after the fact. Once you're pwned, you can't go back. Many companies, public and private, have put off investing into their security and IT stack (Southwest Airlines) and have to deal with it after-the-fact.

Schools, especially public ones, can't invest in IT. Let's see what the voters and unions would approve: A new backup software or more in teacher salaries and school lunches. It's a losing game for most public school IT departments.

So they get exploited. And now they don't have the infrastructure or processes to restore from backup and start new. So they pay. They have to because it's still cheaper than all of the above.

Plus, what if it's a phish or social engineer? Then the mitigations above will only be partially effective.

It's a multi-dimensional problem, for sure, and technology can help mitigate some of it. But ransomware won't go away, and blaming the victim for paying to keep their organization going (saving lives or teaching kids) isn't the right thing to do either.