Moving to an OS with an even larger attack surface and larger nightmare for "DevOps" doesn't seem like the right move.
The right move would be to stop using a desktop OS for basic kiosks, develop an application-specific OS which could be based on something like Ubuntu. The attack surface would be significantly lower and updates could be better controlled.
I don't have an argument with any of that. Just the claim that the NHS is "running on Windows XP", which felt like a lazy accusation that's at least a couple of years out of date.
The right move would be to stop using a desktop OS for basic kiosks, develop an application-specific OS which could be based on something like Ubuntu. The attack surface would be significantly lower and updates could be better controlled.