The downtime in testing and applying patches is increasingly unacceptable. As one IT director of a medium-sized company said, "If I applied every patch, my system would be down more often than it is up."
Of course, old timers say this is a familiar problem - IBM was notorious for the amount of patching needed on its mainframes. However, these were inward-facing systems, whereas today's systems face outwards. Also, fewer systems were 24-hour operations, and IT teams had the luxury of being able to reboot every night.
The degree to which IT managers can address the issue varies according to the size of the organisation. Larger sites have more specialised staff and more capacity to get around the problem by, for example, testing patches in a secure area before applying them to the whole network.
The situation is compounded because many IT managers in larger companies will not know what versions of software exist around their organisations.
We will see growing demand this year for Microsoft to consolidate its patches to reduce the impact on companies' systems, and grade patches for degree of severity in a practical way.
So what do IT managers do until then? One piece of advice, from an eminent practitioner to a group of high-powered IT managers, was to forget patching completely. He said it is like repairing roof tiles when the barn door is open. His advice was to assume you are penetrable and put in other defences that do not rely on Microsoft security.