Despite being a big fan of open source software, this does not make a difference. Microsoft released patches for new windows system relatively quickly (in March if I recall correctly).
I bet there are still tons of systems that suffer from the Shellshock, or Heartbleed because they are either not updated at all or they are running old linux version which are no longer supported (I bet there are still tons of RHEL/Centos 2, 3, 4, and 5, which do no longer get security update or the companies do not have extended support contracts).
The real issue is that people are afraid of updates because they tend to break things. They do not want to invest into "slow rollout strategies" and the like.
If updates were applied immediately to 10% (or maybe even less if the company is big enough) of all machines, and if there was a way to quickly rollback the update, there would be less problems and the consequences of failed updates would be less serve. This way you can have your systems up-to-date within 48h (maybe: 1% of 'key users' who do not freak out if things break, and then after maybe 4h 10% of normal users who can call "IT support" to roll back the update, and after 24-48h, to all PCs. This would be even easier for stateless servers because you could redirect all requests to other servers if the 10% fail with 0 downtime).
I bet there are still tons of systems that suffer from the Shellshock, or Heartbleed because they are either not updated at all or they are running old linux version which are no longer supported (I bet there are still tons of RHEL/Centos 2, 3, 4, and 5, which do no longer get security update or the companies do not have extended support contracts).
The real issue is that people are afraid of updates because they tend to break things. They do not want to invest into "slow rollout strategies" and the like.
If updates were applied immediately to 10% (or maybe even less if the company is big enough) of all machines, and if there was a way to quickly rollback the update, there would be less problems and the consequences of failed updates would be less serve. This way you can have your systems up-to-date within 48h (maybe: 1% of 'key users' who do not freak out if things break, and then after maybe 4h 10% of normal users who can call "IT support" to roll back the update, and after 24-48h, to all PCs. This would be even easier for stateless servers because you could redirect all requests to other servers if the 10% fail with 0 downtime).