The issue is that it needs to be explained in terms that they can understand: ... or part of your line will fail, randomly, and may take over a day to repair, IF your maintenance procedures are current, if not, you'll lose 4-5 days of line time.
Note: not one mention of "security", or good neighbor, or infection, only cutting to the point.
For sure. When software runs and operates as expected, then the mindset is, "Don't touch it". No one cares that the JRE is old and vulnerable or that it's running telnet with the user name and password both set to 'admin'. Updating is considered more dangerous than the risk of compromise.
I heard a security researcher once say that her greatest fear for SCADA/control systems was compromise by kids/teenagers who had no idea what they had access to and began goofing around on the system. She said that they could accidentally cause more damage than organized attackers.
The installation process he just described was acceptable in the late 1990s but things have moved on since then.