That the attacks move up the stack is really nothing new. However, it increases the challenge to secure your environment as you have to take Patch Management all the way. I blogged on that several times already e.g.:
It is obvious as well that applications that are wide-spread are likely targets for the attackers. Adobe is one of these targets and it is getting worse: PDFs are now No. 1 vehicle for web-based attacks – therefore, make sure that you patch all your applications. We are already working closely with Adobe: Microsoft and Adobe: Collaboration Against Threats
What happens when the patch management system install's patches that cause more downtime that the attacks themselves?