If my IT staff said that to me, they'd be out of jobs. SQL Slammer was a nearly 100% preventable attack through Microsoft alone. 100% preventable if you had the proper software in place as a safeguard. Being vulnerable to SQL Slammer was almost inexcuseable as admins had over 6 months to patch. MS Blaster was a different story due to the exploit being released only 4 weeks after the vulnerability was released.
I was Blaster-proof via Windows Update long before it ever showed up.