I'd bet that security issues in most closed environments are more caused by outdated software than Defender being updated with the latest definitions.
It also wouldn't surprise me if a centrifuge out there is still running XP whether it's in research or nuclear development!
Yes I agree.
But the perception from most OT Vendors (names omitted for their own protection) is that any changes done to a Windows OS image that improves cyber security could potentially impact performance and thus invalidates whatever limited warranty they provide about the reliability and performance of their software.
They're just desperately looking for excuses to refuse your customer service request.
When you dance with the Devil, you wait for the music to stop.
Obliviously, the situation is not a dichotomy; a middle-ground is sought.
Windows Defender needs regular engine/definition updates, but direct or proxy internet connections may never be authorized due to organization institutional cultural morays that consider air-gapping the crux of good security. Landesk/Ivanti is a good alternative.
Additionally, OS images are often updated, as reimaging is common practice when you have thin clients such as HMI PanelPCs.
So ensuring that the most recent OS image has a relatively recent versions of SSUs, CUs, and Windows Defender Engine/Definition is a step in the right direction. If you're installing a fresh copy v1607/Win10 EntIOT LTSB from 2016 today, because that's the only OS licensed to run on your HMI PanelPC sold by your OT vendor, and they categorically refuse to update their OS recovery image, then it becomes your responsibility to maintain deviations (at the risk of loosing their customer service support).
One of those deviations? Windows Defender definitions from 2023. 7 years newer than than those that shipped bundled with the Microsoft OEM v1607 R.T.M. ISOs.
Come work in O.T. ? Ideally Renewable Energy....