It suggests it is a difficult problem to stop. As I understand it, attackers now frequently perform an initial compromise and then manually escalate privileges before launching a ransomware attack for greater impact. Alternatively, the attacker will sell privileged access to a ransomware group. This isn't someone from HR opening a malicious attachment and getting the whole company owned via eternal blue.

At least it suggests that the current standards and auditing practices are not sufficient, and apparently formulating testable requirements is difficult.