Superficially, it would appear that, if your inner LAN is on one OS, and access to the web is available only through a different OS, a “Stuxnet” type virus would not execute.
In point of fact, if you write an auto mount for a Windows system, and put it on the thumb drive on any OS, the virus automounts in the Windows environment despite the initial barrier.
Nonetheless, the thumb drive wouldn’t phone home “satisfactorily” under Linux or Leopard; the A.P.T. would be forced to maintain a separate virus (trojan?) on the Linux or Leopard “box,”to scoop the file (possibly encrypt it,) and ftp it “home.”
One reaction to this would be to keep the LAN OS type private. That would be impractical, if the difficulty of keeping a secret between n people were similar to 2^n or n^n. In fact, it would not be possible to hire programmers to maintain the network without publishing some clues about the OS environment.
Although it might be fruitless, proliferating Operating Systems proliferates competency requirements. This adds cost for the business, but also for the A.P.T. It might not be worth the trouble, but it is worth considering.