If a government entity was willing to pay for 0-day exploits to target a specific system and infrastructure I don't think it really mattered what OS was behind the controllers since they'd be building the super-virus to the needs of the assignment.
I don't think that conclusion, or the more general one, that endpoint security can't be a significant barrier, can be drawn yet. The level of good security practices in this case is very low. Once the air gap was breached they were done.
