How have things gotten so out of control?
I’d put money on it being a lack of patching, or a weak password for one of the accounts on the system. It looks like MS Terminal Server is open, I presume to the world and not just SmartData, so could be an easy way in. Do they have a website? Any access to its logs? Wondering about SQL Injection there.
What did the “managing” company say? (I can guess…)
FWIW I’d add “regularly run Windows Update” to your list for “regular Jo” too. For a server I’d replace “Firewall software” with “use a hardware firewall, configured to block everything, then only unblock what you know you need” too, but then your list isn’t aimed at “regular Jo sysadmins” ;-)