You are vulnerable to attack, but who would attack you?
This is one of the concepts I deal with consumer IT repeatedly. No one cares about your computer. Its not like hackers roll around your neighborhood out of boredom looking to break into your router.
As somebody who has done wardriving, and who follows the sec scene, there are lots of folks out there with time on their hands that do exactly this. You don't have to be a high value target to end up on the radar of a teen with a pentest kit who wants to have some fun. Kali, a venti white chocolate mocha and a few hours of boredom isn't a far fetched scenario.
I would make sure you are using a good encryption method on your router's password than windows security. The majority of "attacks" happen because users give out personal information to the threat directly.
You would do both. It isn't an either-or scenario, just like not using an outdated and unpatched OS, you take all reasonable steps as preventative measures, because that's simply being responsible. And yes, end user training is critical, since social engineering is by far the biggest threat and is the dominating single common factor in the majority of compromises.
Its the same thing with antiviruses. You don't need an antiviruis, I haven't ran one (including defender or microsofts proprietary BS) for over 20 years, and have had a virus occur maybe ONCE, nothing malwarebytes portable on a flash drive couldn't handle in 5 minutes. You have a higher risk of SSD failure and thus, data loss, than being "hacked".
Malicious sites that leverage potentially unpatched exploits or leverage social engineering (your computer is infected, call this number in full screen) are blocked by many modern AV solutions like ESET EndPoint. Preventing the end user from accessing this stuff in the first place shouldn't be controversial or poo-poo'd, it's just one more layer in the onion of "reasonable" security. The smaller you can make your exposure surface the better, even though you can never eliminate it.
Security of your operating system is an illusion, I would rather invest time looking into who your cell provider is, who your internet provider is, using a quality and privacy focused encrypted VPN, as well as using good passwords and making sure you don't click on things you shouldn't click on.
Other than changing the egress point of your traffic to a location other than your ISP, what are you really accomplishing with a VPN? Who are you using as a resolver, the provider? How do you know they aren't logging who you are and what sites you visit? The sites themselves and any personal information you provide (like an e-mail address, which is also a target) are far more likely targets than (mostly already encrypted) traffic in transport.
I also live by the concept, that those that really do want my data, will get it regardless of what I do because their expertise is probably infinitely higher than mine, and thats after 25 years in IT.
I employ the approach used by the nuclear industry regarding exposure and risk, which is ALARA. While risk will never be zero, using all reasonable means to reduce exposure surface and risk are taken. Make my (relatively low value) data not worth pursuing.
The advice being levied here is essentially:
"Don't worry about it (using an outdated and vulnerable OS), nobody is going to attack you"
"You can't protect yourself anyway, because if they want your data, they are going to get it anyway"
Both of which I don't agree with, nor does the industry at large. While effort is proportionate to the perceived value of the data, that does not mean that lower value targets won't be pursued out of opportunity or boredom. Making yourself "not worth it" is common sense in this context.