I learnt from experts that no protection would have stopped this attack and that ALL operating systems were at risk from this malware.
Sort of. All Windows operating systems were vulnerable, but only the older systems (XP, Windows Server 2003, etc) were vulnerable to infection without user interaction.
The malware can get onto your computer in one or more ways:-
1) You actively download it and run it (surprising how many people download random programs off the Internet and just run them)
2) You actively double click an attachment to an email (which may be a word doc, PDF or powerpoint presentation, etc)
3) You visit a malware ridden website using a web browser that is not fully patched
4) You visit any website that has advertising where the advertising (malvertising) has an infection vector if your browser isn't up to date
5) You computer is remotely vulnerable and is infected by another computer nearby
The latter (#5) is how 'worms' spread, and how a large number of infections of this ransomware spread. Someone double clicks on a dodgy attachment to get their local machine infected and then it tries all of the nearby machines to see if it can remotely infect them (using mostly the Samba vulnerability that was part of the NSA's arsenal [EternalBlue] ).
If you had a patched OS and followed sensible guidelines of not opening attachments from unknown people, or unexpected attachments from known people, then you'd generally be ok.
The NHS's (and general corporate IT) problem is that it has thousands of XP and Windows Server 2003 machines that are required to run legacy software. Or they don't have the funds to upgrade everything all the time.
Luckily a security researcher found that it stopped infecting any further machines if a specific domain name had been registered, so he registered it, but that doesn't help the people already infected.
It won't be long before it's picked apart and used as the basis for version after version and the variants may be even nastier. And it won't be long before malware like this start to include Mac and Linux infection vectors and codebases so it can spread regardless of the underlying operating system (this is what I would do if I was given the job of making an uber-malware).