This is quite common. Lots of small to medium IT teams have terrible security hygiene and awful image build and cloning processes.
I’m glad to see Microsoft at least attempted to take some of that away with things like autopilot which allow OEM builds to be customised just by signing into AD. It’s fairly easy to sidestep a lot of problems like this.
We were getting brand new pos terminals direct from the supplier with conficker installed ten years after conficker was news. When we pushed for a fix, machines started arriving with instructions to run a conficker removal tool before using them.
I’m glad to see Microsoft at least attempted to take some of that away with things like autopilot which allow OEM builds to be customised just by signing into AD. It’s fairly easy to sidestep a lot of problems like this.