Oftentimes, even when using rock-solid patch management software, a certain percentage of upgrades will fail. In my 20-year-plus experience, the problem rate is somewhere between 1 and 5 percent. That means a machine left unpatched and possibly even a visit by tech support to resolve. And all of us have stories of horrible patch recovery problems that took formatting and complete re-installs to resolve.
Some companies have great patch management software, but policies and necessary regression testing mean it could be a month or more until patches are installed.
Solutions for patch pain
Get on top of your patching. If you don't have systemwide patch management software, get some. Make sure to patch everything on the computer: the operating system, large applications, browser add-ons, everything. If someone else is in charge of patching, spot-check their efficiency. Run Secunia's Software Inspector and see what comes up unpatched.
Except in the rarest of cases (e.g., medical devices requiring regulatory approval, etc.), it's no longer acceptable in today's world to wait more than a week or two to apply a critical patch. Internet-facing servers and computers with access to the Internet need to be patched the fastest. Rank assets by criticality and patch the highest risk assets first. If you can't perform thorough regression testing in a timely manner, create a trustworthy rollback strategy and patch away.
If you cannot patch in a timely manner, look into offsetting controls, like IPS solutions and inline patching solutions. My former favorite inline patching solution, BlueLane's PatchPoint, has been acquired by VMware and doesn't appear to be available at the moment. Anti-malware solutions, firewalls, and auditing certainly have their place in any patching strategy. But all these offsetting controls are doomed to eventual failure. Having fully patched software is one of the best things you can do to improve your security posture.
Many readers might find this topic boring, but I plan to keep covering it until I find more clients fully patched than unpatched. Top echelon computer security administrators know that the best computer security comes from doing the boring stuff consistently great.