Could be overstating risk
Hmm... is time to patch really that useful an indicator?
Our firm would definately be among those taking a week or more to apply patches (we're still running SP1 on most workstations), and I haven't a clue how many patches we've applied in the last 6 months. Probably none for the majority of machines.
However, do I feel we have a security risk? Nope, not at all.
Our gateway is well protected by two layers of firewall, both of which *are* fully patched and up to date. We've got up to date anti-virus on every single machine, our e-mail is filtered and and two years ago we disabled all active scripting from within IE.
End result: we're not running around like headless chickens applying patches willy nilly. According to most statistics we're firmly in the *at risk* category, yet we've not had a single security incident in 2 years.
However, despite our precautions we do expect something to get through our defences sooner or later, my bet is that this will be a zero day exploit which all the patching in the world isn't going to prevent. That's why we were very interested in an e-mail we received last week from Winternals.
Their new Protection Manager product sounds like just the thing to finish off our strategy, able to prevent any software running unless it's on our whitelist.
Now once we have that I really will sleep soundly at night. Patched or not.