Why we're still seeing unpatched software

Security teams are well aware of the dangers of unpatched software. But even with patches having been announced, the bugs remain. Here's why.

Tal Morgenstern | November 02, 2021

Despite industry awareness that 60% of data breaches stem from unpatched software, “fix” still doesn’t get done. And how about these statistics from the 2020 Veracode software security report? Do they match your organization’s patch rates?

  • 70% of bugs remain unpatched after 4 weeks.
  • 55% of bugs remain unpatched three months later.
  • 25% of high-vulnerability bugs not addressed after 290 days.
  • 25% of less critical bugs not patched a year later.

The nature of patching in today’s complex software landscape—especially for large organizations—generates a multitude of nagging reasons to delay. This is in spite of the damage a brand will suffer when customer confidence gets shaken by a breach that compromises sensitive data.

And those breaches will happen. Hackers up their game even as the measures used against them evolve, coming up with exploits for newly-announced vulnerabilities. Cyber criminals employ automation as a force multiplier and are starting to use AI with ever-more-sophisticated ways to find their way in, especially against the soft underbelly of work-at-home employee machines that account for 35 percent of all system breaches.

Studies have shown that cyber attacks on big-name brands, especially financial institutions that get hit 300% more than other types of organizations, can result in a 6-15% loss in value. 

The key to better protection: Understand the problems and then work within your organization’s unique DevSecOps culture to evolve to a better cyber security posture.

3 reasons for unpatched software

It’s important to understand the nature of the problems preventing patches in order to devise an effective process to get them done faster. Unfortunately, it’s a perfect storm of ever-expanding scope, conflicting logistical priorities, and personnel-related challenges. 

1. Patch volume challenges ability to get fix done

According to the CVE Program Report, the year 2020 saw a total of over 18,000 new vulnerabilities. That report did not take the COVID effect into account, with many employees sent to work from home, most using personal “Bring Your Own Device” (BYOD) equipment.

These conditions exacerbated a set of existing problems:

  • Growing attack surface: With IOT, mobile and BYODs, more patches from more vendors must be applied to keep the attack surface safe.
  • Sheer number of assets: Asset management systems have a difficult time keeping track of everything, naturally leaving software unpatched. 
  • Lack of any standard vulnerability communication method: It’s difficult for dispersed, siloed teams to know what to fix. There are too many channels of communication and too few people to monitor them.
  • High volume of vulnerabilities found by scans: Especially common with larger organizations and enterprises with many silos, all scanning separately.
  • Ambiguous priority ratings: Associated with vulnerability reports that do not take into account a specific company’s infrastructure and other circumstances. For example, is the patch really a high priority if the asset is behind a firewall?

Organizations get overwhelmed by these volume problems, especially when their logistical processes are not equipped to handle the load. The result? More unpatched software. 

2. Logistical issues lead to unpatched software

The next set of reasons accounts for an organization’s readiness to even start planning mitigation procedures. Many logistical barriers delay or even eliminate the opportunity to fix vulnerabilities:

  • How strong are the fundamentals to know not just the assets in service, but how they are used? You can’t automate unless you know when and how to roll out patches.
  • How confident are you that the fix was properly applied? This includes any administrative tasks that need to be done, such as changing passwords and setting configuration values. The patch could get deployed, but it won’t work unless administration gets done right.
  • How much time is needed to soak-test remediations in non-production systems to prove that the fix works? It’s wise to test, but it also adds more opportunities for production systems to get hacked.
  • How many times do scheduled patches get pushed back because priority patches must go first? This happens when the organization can’t absorb the impact of doing both scheduled and priority patches in a short window.
  • How well does the infrastructure support live patching through the use of load balancers managing sets of service nodes? Lacking this kind of network topology, the company must suffer service downtime instead of putting each node through a patch-and-cycle process while the others stay up.

The larger the organization, the more employees working and assets in service—making these reasons for delay much more likely. And then, once the work gets scheduled, the mitigation speed depends on the staff responsible for doing it.

3. Personnel effectiveness in an overwhelming threat landscape

A number of personnel issues also delay the rollout of patches:

  • Does the staff have enough skilled personnel to do the job? The industry worldwide reports a nagging shortage of skilled cybersecurity workers.
  • Does the staff have the confidence in their ability to even catalog and prioritize—not to mention deal with—the great number of patches to do? Underskilled workers pushed into cybersecurity likely lack the advanced knowledge to perform with proficiency.
  • Do siloed teams have to act independently to deal with their own issues, in a vacuum? Lack of visibility of each others’ problems, and the inability to share knowledge, degrades an organization’s ability to patch efficiently.
  • Do development teams do enough to prevent new problems? Not just patches, but also development and integration—does each worker understand the need for security and how to prioritize his or her individual efforts? If prevention is the best patch, then are they all doing what’s best, right now, within their initiatives? Do they even know? How would they know?
  • Do remote workers do their part to apply patches on time for BYODs? Does the remote worker, using either company-supplied or BYOD equipment, perform patches on time, or delay them for personal productivity reasons?

The variety of personnel issues underscores the need to make DevSecOps a whole-company culture.

Implementing a DevSecOps culture of risk-based remediation – so nothing critical goes unpatched

The Vulcan Cyber® risk-based remediation platform helps tame the issue of volume, alleviate logistical challenges, and make the best use of your short-staffed cybersecurity personnel, making it a catalyst for growing your DevSecOps culture. 

1. Fix patch volume issues with a platform that integrates with the tools in place

Vulcan integrates with a wide variety of top industry tools, out of the box. More are added all the time.

  • Vulnerability scans create a new problem: Even small organizations these days have multiple scanning tools in service looking for problems. Larger companies, of course, have more. This creates huge volumes of data, too large for manual processing. Vulcan digests all this data for you into a seamless prioritized report. 
  • Threat intelligence database creates a new solution: Just because a given vulnerability is “high priority” does not mean it’s a first-tier fix. Nor does it mean the patch needs to be applied immediately, as there might be alternative remediations. The Vulcan threat intelligence database combines public feeds with proprietary enhancements to give you the best possible set of remediation actions to put into your plan.

The volume problem gets transformed into a manageable set of tasks that maximize your company’s attack posture with the minimum resources required.

2. Fix logistical reasons: Get DevSecOps automated and integrated into the control surface

AI-enhanced threat and mitigation identification enables you to automate the fix. Vulcan integrates with your DevOps tools and alleviates logistical barriers through automation:

  • Automation acts as a force multiplier for your short-staffed security personnel. Vulcan’s integration capabilities allow the automated processes to be monitored and controlled in one place.
  • Incorporate system tests into the control plane to get through testing faster, including validation that the tests worked. This helps you get the validated fixes where they really need to go: into your production systems.
  • Measure improved uptime with the control plane as systems get upgraded, to spread the load across a set of servers running behind a load balancer. This allows services to continue running while one server at a time gets patched. Parallel servers enable dev, test, and production environments to get fix done faster, using Vulcan to orchestrate hands-free patches that roll out automatically to load-balanced service nodes.

It’s one thing to make architectural improvements. It’s another when you can actually measure their effectiveness to improve uptime.

3. Fix personnel effectiveness: Get people looking at the same cyber security landscape

The best way to improve DevSecOps culture is to get the organization seeing the same set of problems and working together to fix them. This means across silos, departments, and management hierarchies.

  • Get everyone working together through an AI-assisted cyber security platform and single control plane. Get all the problems out into the open to make better decisions on what to fix, why, and when across the enterprise.
  • Get everyone working efficiently with integration capabilities so the tools you already have not only do their original jobs, but are part of an orchestrated workflow. Staff from all disciplines can work together to improve automation and architecture with security as the goal.
  • Get the most out of your security personnel by enabling them to focus on bigger problems instead of burning time on manual, repetitive, and possibly error-prone tasks.

The ultimate goal: See your control over DevSecOps increase by creating scheduled small patches of highest-priority fixes, running them frequently with minimum downtime, and do it so effectively that there’s no longer a difference between “planned” and “emergency” patches.


Logistical and personnel issues, teams working in silos, and the sheer volume of vulnerabilities and patches can all lead to unpatched software, either through patches being missed or delayed. A DevSecOps approach to risk remediation allows you to find and prioritize vulnerabilities while facilitating collaboration among teams to ensure nothing is overlooked. The Vulcan Cyber risk management platform automates and orchestrates your vulnerability management programs and integrates with your existing tools to make unpatched software a thing of the past.

Find and prioritize vulnerabilities with Vulcan Free or get fix done with Vulcan Remedy Cloud.


Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy