Do you carefully test all the patches to make sure they don't accidentally break anything else, and run the risk of a vulnerability being exploited while you're testing the patch.
Yes you do. However, once you have tested and released the patches and virus definitions, you have a system in place to ensure the said patches are actually passed to the local administrators for installation. You wouldn't expect, for example, the patches to still be waiting for installation more than a month after being certified for release ... would you?
I am suspicious that there has been no mention of our Green bretheren here ... is it really limited to the two blue services?
What I think some are forgetting is that there needs to be a balance between locking systems down to ensure 100% security (no IGS, no e-mail to external agencies etc) and letting us have usable systems that some of us have been battling for for years.
STH