You probably remember my post regarding Oracle DBAs rarely install patches. It was about a study where Sentrigo claimed (after having asked 305 people) that more than 2/3 of Oracle DBAs do not install the patches provided by Oracle. Now Oracle recently published a blog post called To Patch of Not To Patch? with some interesting comments definitely worth looking at.
There are mainly two things I think we should look at:
Anyway, patching is always a lose-lose game. It is like selling an insurance policy: you have to invest for something bad not happening. So, where is break/even? What we can do (and have to do) is further reduce the number of vulnerabilities to make patching less necessary and implement defense in depth measures to make the vulnerabilities hard to exploit but will they ever go away completely? I doubt
Exchange 2007 is patched with bi-monthly cumulative rollups. Honestly it's great... plus I think it contributes a lot to supportability. MS doesn't have to test or troubleshoot hundreds of combinations of various hotfixes installed on different installations, and we also get fixes more often than if we had to wait for service packs.