Chapter 3. Rule Number 1: Patch Your Systems
If the thing security administrators hate most is attackers , the thing they hate second most has to be patches. Nothing rouses emotions quite so much as patches. Everyone dislikes them, from the developers who have to create them, to the software vendors that have to release them, to the administrators who have to deploy them. Quite possibly, only two groups like patches: the software vendors that sell patch management solutions and the security researchers who use vulnerability discoveries as marketing tools.
We hate patches, too. Patches disrupt the normal workflow and make us do maintenance work. Nobody likes fixing things, particularly not when it is not evident that they are broken. The problem is that if we do not patch our networks now, attackers will often demonstrate with ample clarity just how broken they in fact are.