The problem is hardware makers didn't pull finger out and turn on features in BIOS that, as you say, Microsoft had wanted since win 8.1. And which are in many BIOS but users don't know what BIOS is. Whose fault is that?
So Microsoft had given them 10 years and they still weren't moving towards the secure platform that MS wanted.
Completely agree. My nuc meets the hardware requirements so I'm running 11 although I disabled bit locker, which was only enabled as my OS drive. I still had to turn TPM and secure boot on in the BIOS. I was dual booting and wanted to get rid of the second OS so I disabled bit locker, deleted the partition and the recovery partition for 2nd OS. I wasn't able to expand the C drive using disk management so I did it with another utility. I happened to do some disk mark tests before enabling bit locker. On my sabrent Q4 rocker gen 4 nvme drive I was getting 4600/MB/s read and 2200MB/s write constantly on sequential 1MB read/writes. After enabling bit locker again, there were 2 options, current data or entire disk. I chose entire disk. After that read speed dropped to 3500MB/s and write would start at 1900MB/s but after a while would drop to 550MB/s and it was noticable on large file copies. So, I have TPM 2.0 bit without BL enabled it is pointless. Personally, I believe it should be up to hard drive manufacturer's to have native hardware encryption as hardware based encryption is better then software based. Based off my research hard drive manufacturer's just can't be trusted to do so so so that's why MS is enabling BL by default in 11. Had hardware makers stepped up earlier then none of this would be an issue. People only get mad of they have to change something. If hardware makers had enabled TPM and Secure Boot, it would be a mute point outside the CPU compatibility list.
The biggest changes to 11 is by far security (even though TPM and secure boot are not new) and I'm pretty positive ransomware is the driving force behind that and why VBS is required (at least a specific version). To isolate apps from each other, which causes 11 to run slower on an unsupported CPU so better off to stick with 10.
It's usually cheaper to pay unless you have good security and at least one security expert if you're a business. Particularly due to the fact that it often takes months to get access to key systems so you have to find when you were infected, but if it's months a lot of backups are already infected. Anyone with such bad security that it went unnoticed for months is not going to be able to get current data back that isn't already compromised. I work for a software company that sells software to state DOT's. Both Colorado and Georgia got his with the same ransomware. Colorado paid, Georgia didn't. Colorado paid 5 million and was back up and running. Georgia ended up spending over 20 million and it took months to get things back to normal. The DOD has required TPM and Secure Boot for all computers for quote some time.
I was talking to the head of our IT at work. Someone clicked a link they shouldn't. Within 5 minutes multiple people were notified via text and email about being hit by ransomware and restored everything to 5 minutes before it happened and never looked back.