These 4 rules are idiotic, created by idiots. They demonstrate how anybody can claim to be an expert by telling everyone else to "take security seriously".
It's like in that Simpson's episode when Homer is afraid of getting fired, so he tries to make it seem like he's doing something important by going around telling everyone to "stop being so unsafe" and "safen up!". 
Let's look at number 1, updating devices. Yes, all else being equal, you should be updating devices. But updating devices has a cost. For the average person, the cost of keeping everything updated may be larger than the costs of not doing so.
"Updating" usually take's the #1 spot on such lists because it's the purest trope of "taking security seriously". It pretends that your risk comes from moral weakness like laziness, greed, pride, etc. The advice is that you be 'strong' in some fashion.
The #2 item on that list, "Strong passwords", come from the same trope. Stop being so weak, if only you were strong. Easily guessed passwords really aren't much of a problem.
Now, password reuse is a big problem. Password reuse is your #1 threat. Don't use the same password across your accounts. It's okay to use weak, easily remembered passwords and to write them down as long as YOU DON'T REUSE THE SAME PASSWORD ACROSS YOUR ACCOUNTS.
But people don't understand the order of things. They imagine security is about being morally strong, so they choose a big complicated password. Which, of course, they can't do for each different website, so end up reusing the same password everywhere.
As for #3, free public is fine. I'm using it right now as I type this. If all the websites you visit are protected by SSL, you are probably fine. Be wary of any website that isn't SSL protected.
If you visit a shopping site or bank site that doesn't use SSL, then don't use that site, regardless if you do so with from the safety of your home or an airport bar. If these things can't be safe over free public WiFi, they can't be safe anywhere.
Their #4 item is the funniest: "Don’t fall for phishing scams". It's like advising people on automobile safety "don't get into accidents", or advising people on health "don't get sick".
We imagine that spotting phishing is easy, because so many phishing scams are easy to spot. But we need to think of it in terms of the phisher. Sure, it's easy to spot --- 99% of the time. They just need 1%, or even 0.01% of the targets to make a mistake.
A little knowledge goes a long way in preventing many attacks, but here's the thing, even experts can get fooled by really good phishing attempts.
That's why as an expert, I don't rely upon my phishing spotting skills. Instead, I create different email accounts for different purposes. I can spot PayPal phishing attempts against my well-known email account because it wasn't sent to the private account I use for PayPal.
The silly thing is that you are telling people not to do the thing the system was designed to do. Modern email is designed with the idea that you should click on links or attachments. Telling people they should stop doing this is therefore absurd.
It's like telling people to avoid car accidents is easy, just don't step on the gas pedal. I assure that this will work almost all the time. I mean, sure, my car was totaled once while parked because somebody else crashed into it -- but that was because they used their gas pedal.
This tweet makes a good point: weak passwords and insecure WiFi were much different a decade ago. Part of the problem of these 4 things is that they are out-of-date.
This tweet makes a good point: so many passwords are for throwaway accounts. Absolutely, reuse weak passwords for throwaway accounts, like for Adobe. I use the password "Foobar123" a lot for this situation. Also, throwaway email addresses.
I mean, you'd assume that it goes without saying "Never post your password on a public forum", but I just did that. But that reflects flawed thinking that you can have only one password. If you do, it's already public, like in Adobe breeches.
This website will tell you if your password has become public, by tracking all the major breeches like Adobe's that has made it public:
haveibeenpwned.com
haveibeenpwned.com
This post makes a good point that a large part of the burden is on industry to make upgrades work. Home routers are a prime example. Most of the people telling you to keep your devices patched keep their iPhone patched, but not their home router.
Multiple people have pointed out that with HSTS and TLS/1.2, you can't easily fully assess the security of a site by simply looking for https://... The situation is more complicated that just that.
