Two-thirds of those caught up in the global WannaCrypt/WannaCry ransomware attack were running Microsoft's Windows 7 operating system without the latest security updates, a survey for Reuters by security ratings firm BitSight found.
Researchers are struggling to try to find early traces of WannaCry, which remains an active threat in hardest-hit China and Russia, believing that identifying "patient zero" could help catch its criminal authors.
They are however having more luck dissecting flaws that limited the spread of the ransomware.
Security experts warn that while computers at more than 300,000 IP addresses were hit by the ransomware strain, further attacks that fix weaknesses in WannaCry will follow and hit larger numbers of users, and with more devastating consequences.
"Some organisations just aren't aware of the risks; some don't want to risk interrupting important business processes; sometimes they are short-staffed," said Ziv Mador, vice president of security research at Trustwave’s Israeli SpiderLabs unit.
"There are plenty of reasons people wait to patch and none of them are good."
WannaCry's worm-like capacity to infect other computers on the same network with no human intervention appear tailored to Windows 7, said Paul Pratley, head of investigations & incident response at UK consulting firm MWR InfoSecurity.
Data from BitSight covering 160,000 internet-connected computers hit by WannaCry shows that Windows 7 accounts for 67 percent of infections, although it represents less than half the global distribution of Windows PC users.
Computers running older versions, such as Windows XP as used in Britain's NHS health system, while individually vulnerable to attack, appear incapable of spreading infections and played a far smaller role in the global attack than initially reported.
In laboratory testing, researchers at MWR and Kyptos say they have found Windows XP crashes before the virus can spread.
Windows 10, the latest version of Microsoft's flagship operating system franchise, accounts for another 15 percent, while older versions of Windows including 8.1, 8, XP and Vista, account for the remainder, BitSight estimated.
Organisations fail to patch
Any organisation which heeded warnings from Microsoft to urgently install a security patch it labelled “critical” when it was released on March 14 are immune, experts agree.
Those hit by WannaCry also failed to heed warnings last year from Microsoft to disable a file sharing feature in Windows known as SMB, which a covert hacker group calling itself Shadow Brokers had claimed was used by NSA intelligence operatives to sneak into Windows PCs.
"Clearly people who run supported versions of Windows and patched quickly were not affected," Trustwave's Mador said.
Microsoft has faced criticism since 2014 for withdrawing support for older versions of Windows software such as the 16-year-old Windows XP and requiring users to pay hefty annual fees instead.
The British government cancelled a nationwide NHS support contract with Microsoft after a year, leaving upgrades to local trusts.
Seeking to head off further criticism in the wake of the WannaCry outbreak, the US software giant last weekend released a free patch for Windows XP and other older Windows versions that it previously only offered to paying customers.
Microsoft declined to comment for this story.
The company called on intelligence services to strike a better balance between their desire to keep software flaws secret - in order to conduct espionage and cyber warfare - and sharing those flaws with technology companies to better secure the internet.
Half of all WannaCry infections traced via IP addresses are located in China and Russia, with 30 and 20 percent respectively.
By contrast, the United States accounts for 7 percent of WannaCry infections while Britain, France and Germany each represent just 2 percent of worldwide attacks, Kryptos said.
WannaCry targets enterprises
The ransomware mixes copycat software loaded with amateur coding mistakes and recently-leaked spy tools widely believed to have been stolen from the NSA, creating a vastly potent class of crimeware.
"What really makes the magnitude of this attack so much greater than any other is that the intent has changed from information stealing to business disruption," said Samil Neino, chief executive of Los Angeles-based Kryptos Logic.
Last Friday, the company's British-based 22-year-old data breach research chief, Marcus Hutchins, discovered a "kill-switch", which security experts have widely hailed as the decisive step in halting the ransomware's rapid spread around the globe.
WannaCry appears to target mainly enterprises rather than consumers: Once it infects one machine, it silently proliferates across internal networks which can connect hundreds or thousands of machines in large firms, unlike individual consumers at home.
An unknown number of computers sit behind the 300,000 infected internet connections identified by Kryptos.
Because of the way WannaCry spreads sneakily inside organisation networks, a far larger total of ransomed computers sitting behind company firewalls may be hit, possibly numbering upward of a million machines.
Liran Eshel, chief executive of cloud storage provider CTERA Networks, said: "The attack shows how sophisticated ransomware has become, forcing even unaffected organisations to rethink strategies."
Paying ransom won't get files decrypted
Researchers from a variety of security firms say they have so far failed to find a way to decrypt files locked up by WannaCry and say chances are low anyone will succeed.
However, a bug in WannaCry code means the attackers cannot use unique bitcoin addresses to track payments, security researchers at Symantec found this week.
The result: "Users unlikely to get files restored", the company's security response team tweeted.
Rapid recoveries by many organisations with unpatched computers caught out by the attack may largely be attributed to back-up and retrieval procedures they had in place, enabling technicians to re-image infected machines, experts said.
While encrypting individual computers it infects, WannaCry code does not attack backup systems as more sophisticated ransomware packages typically do, security experts who have studied WannaCry code agree.
These factors help explain the mystery of why such a tiny number of victims appear to have paid ransoms into the three bitcoin accounts to which WannaCry directs victims.
Fewer than 300 payments worth around US$99,000 had been paid into the accounts at the time of writing.
Verizon's 2017 data breach investigations report, the most comprehensive annual survey of security breakdowns, found that it takes three months before at least half of organisations install major new software security patches.
WannaCry landed nine weeks after Microsoft's patch arrived.
"The same things are causing the same problems. That's what the data shows," MWR research head Pratley said.
"We haven't seen many organisations fall over and that's because they did some of the security basics."