Common off the shelf is good enough, just as long as they are updated.

"Wrong. COTS operating systems consist of tens of millions of source lines of code (SLOC). Studies of application code shows defect densities of 1–3 bugs per 1,000 SLOC (kSLOC) [failure rates], meaning that these COTS OSes contain literally tens of thousands of bugs. Given that OS code tends to be more complex and tricky than application code, it may even be worse. It is therefore no surprise that these systems get compromised regularly.

Keeping the software updated is better than not keeping it updated, as it means that at least the latest patches are applied. However, this provides no protection against vulnerabilities that have not yet been identified and fixed by the manufacturers. Zero-day exploits, detected by attackers but not yet know by the defenders, are common enough to be traded on the dark web. State actors are know to look for those and hoard them for use against specific targets. Hence, applying the latest patches does not provide sufficient protection against advanced persistent threads (APTs), such as state actors and organised crime." - Gernot

"Get it right or get it wrong, without a secure OS all else is lost" -- Phil