The Laws of Vulnerabilities assessment from ITsecurity group Qualsys found it takes firms on average 62 days to patch internal systems, and 21 days to patch internet-connected systems.
The study also found that 50% of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis, and the lifespan of some worms is unlimited.
"In most cases, worms are circulating faster than systems being patched inside the network. Organisations have to be more aggressive about protecting their internal systems," said Gerhard Eschelbeck, CTO at Qualys.
The research looked at trends relating to four million critical vulnerabilities collected over two and a half years.
Phil Cracknell, security consultant at NetSecurity, said, "There has to be some delay in a patch being released and tested, but I expected it to be lower than 21 days. Companies have to get it down - five days is acceptable. They have to lose the hard-shell, squishy-centre mentality."