Not entirely Merck's fault. It wouldn't have happened (at this time) if Russia hadn't used their weaponized exploit.
There's also something to be said for being the first large-scale victim of a category of catastrophe that is known to be a real threat, but hasn't happened on this scale before.
But you do have a point. There were probably security or IT ops people who warned about this, and if Merck's shareholders take the full hit, organizations will properly feel the risk and adjust their backup & restore processes accordingly. Not so if insurance pays the full damages.
If you cannot trust any of your existing infrastructure anymore, including servers, desktops, storage systems, directory services, and the backup systems themselves, you will not be rebuilding it all in a day...
Our entire software and hardware ecosystem is extremely vulnerable and any single layer or part you can name has been proven insecure. Processors, programming languages, frameworks and packages, undersea cables, routers...it's swiss cheese all the way down.
All of us who are working in software and hardware are in a way to blame for this disaster and until everything is rebuilt from the ground up computing will depend on the worldwide cooperation of benevolent actors.
You're living in a modern IT dreamworld if you believe that.
The number of billion dollar companies out there with thousands of lines of VB6 code and Cobol on an AS/400 is a stupidly large number.
$1.7B? They should be able to destroy and rebuild their entire infrastructure in less than a day.
Have tested backup and restore processes. Ideally have all users in VMs.
I don't see how this isn't entirely Merck's fault.