The situation is particularly acute in enterprises with more than 5,000 employees, according to a report by ICM Research.
Of the 100 IT directors and managers of companies with over 500 employees polled in the survey, 45 claimed software providers' exisiting methods of sending out patches were too costly or of poor value.
“Patches can be a real burden, and from a security standpoint a lot of patches are completely irrelevant,” said John Holland, senior vice-president for international operations at security firm TruSecure, which commissioned the study.
Holland pointed to earlier research carried out by the firm, which concluded that of the 4,129 vulnerabilities reported in 2002, less than 2% were exploited by hackers.
Suppliers are not giving users “appropriate” information and patch alert services are too “generic” - they do not take into account what individual companies need, he said.
"Users need added-value services that provide information on criticality to help them prioritise patch application and help balance the workload involved in implementing and testing patches.
3% of UK IT professionals thought the patch management information they received was 100% relevant to their individual business needs.
45% are concerned about the cost and value of patch management for security flaws.
61% of respondents said managing risk is more important than simply managing security at an operational level.