Insurance is not a replacement for good mitigation strategies and practices. Insurance is about being able to meet the costs of recovery - getting things back the way they were before the insured event - should something go wrong.
In many other areas of commercial practice, insurers tend to reward 'better' practices - lower risk usually reduces premiums (there is the ongoing issue of "because this is Australia", but larger entities can insure themselves overseas).
Certainly, sensible legal (and financial/accounting) advice would be to do as much as you can to protect yourself. In many cases, that would mean improving the systems and practices you already have, rather than trying something completely new (most SMEs are not equipped to try out Linux/BSD - they lack in-house expertise and experience, and buying those in is often not a practical short-medium term option).
All the attention tends to go on getting and maintaining capacity to do 'core' business (whatever that might be). Most businesses, and most households, do not upgrade hardware (or software) as often as might be prudent - often because it's an expense that is not accounted for in 'normal' financial management/household budgeting, People still expect computers to last for several years or longer, and most businesses work on a 3-5 year hardware replacement cycle. This is reinforced by tax rules.
The complexity of risk vectors makes this one of the most difficult areas for any business or household to deal with - let alone keep up with. The plethora of ways you can get owned across IT, deliberately or by accident, is almost unimaginably vast. Every individual device, piece of software, every assemblage of hardware, of software, and every person and group of people who use or go near IT is an opportunity for failure.
Insurers love mathematical models, audit processes, and actuarial tables. It will be interesting to see how these develop as more insurers move into more areas of IT risk. It is not for nothing that many of us are worried about the implications of increasing interconnectivity plus 'Big Data' plus IoT and so on. Commercial surveillance is only going to get more attractive, and more vendors will push for more invasive monitoring/'sharing' ("you consent to X, Y, Z as part of this service"; "this agreement requires D, Q, P to be provided/shared/available on a timely/realtime basis"), as they compete to reduce the risk that they cover.
The real fireworks have yet to happen: we have yet to see a requirement that human beings whose lives are affected by failures ought to be compensated, and actual efforts made to restore their lives. Until that happens, the 'real' cost of failures will be dismissed.
Internal costs tend to get pushed around balance sheets, and treated as the cost of doing business, and fought over in internal management politics - those management will readily find money to insure against. Public liability is something big corporate entities strenuously work hard to offload, or have legislated out of their hands.