Re: The real blame goes to..
Microsoft released patches for currently supported operating systems two months before the WannaCry exploit. Unless things have changed dramatically since the middle of 2012, outward facing US DoD systems were patched well before a month after patch release - the requirement then was to patch Category I vulnerabilities within 15 days of patch availability. EternalBlue unquestionably was a Category I vulnerability. So was use of an unsupported software product like Windows XP, although there is no remediation for that, not even application of a patch for the vulnerability; Windows XP would have been disallowed within the DoD as of April 30, 2014.
Use of SMB version 1 might or might not have been as severe a vulnerability, but it would have been one beginning when Microsoft deprecated it, and at worst ought to have been discontinued within 180 days, which would have been before the end of 2014.
The DoD is a far from perfect organization in IT as in other things. But the outlines of their information assurance standards are not that hard to understand or, in principle, to implement. Their implementation is tedious, annoying, expensive in terms of staffing, and all too often disruptive to the operations the IT staff support.
Many organizations, including the DoD agency that employed me, do not consider IT part of their core mission. For some, not including my agency, that result in treating it as a cost center to be starved of staff and funds to the maximum possible extent, taking heedless of the potential cost and damage that inattention to security patching and configuration can bring.
Blaming the NSA may have some merit, but their behavior in retaining some vulnerability knowledge was approved at the highest level in the executive branch and certainly is not meaningfully different from that of similar agencies in other countries. At least as much blame is due the management of organizations victim to these recent attacks.