Nah, it actually was. There was a point in time where windows was vulnerable without patches, but the limited ipv4 space was available with "bot-nets"/infected PCs. It probably was something Like minutes, so if you were quick between starting up and downloading the patch...

Minutes, I can believe.

> It wouldn't take mere seconds to detect a new device connected to the Internet

You don't need to detect. You just spam exploit packets to every possible IP address and hope some of them hit a vulnerable target.

How do you get the necessary bandwidth to do that? Well you make your malware do the spamming, so as the network of compromised hosts grows, so does the attack traffic, until everyone is spammed with attack packets every few seconds.

The same is happening nowadays, just open tcpdump on a WAN interface and watch the nastiness roll in - you'll see SSH connection attempts (trying to bruteforce credentials), HTTP requests (typically used to exploit shitty PHP CMSes), etc.

I think it was just messages being sent to and displayed by the Windows Messenger service.

https://en.wikipedia.org/wiki/Windows_Messenger_service

A common. I personally witnessed a desktop get MSBlast'ed two seconds after I punched in the IP settings (a public IP) on a freshly installed WinXP.