I get what you're saying but if my threat model doesn't include Microsoft or state-level actors that can co-opt Microsoft or buy/develop hoarded Windows zero-days, then a patched Windows box is probably good enough.