I do a lot of on-site security reviews. Frequently I'm told that all patches are being applied in a timely manner, but when I audit sample servers, I find out that isn't really the case. If you're an IT manager, do a little spot checking to see if necessary patches are being applied. Use your regular patch management auditing tool or simply use Microsoft's free Baseline Security Analyzer (MBSA).
Many organizations cannot patch quicker than a few weeks because of security policy or oversight boards. If this is the issue, take your case to management and ask that a more timely response be allowed for high-risk scenarios. Your patching strategy must be updated for the times. Waiting weeks to patch servers is no longer a best practice. It's an outlier, and if anyone is ever asked in court to defend how they supported something, the lawyers and the court system always rely on best practices and due diligence as the baseline defense. Make sure you're not the one having to explain why you deviated from best practices in patch management.