The rate of vulnerabilities that need to be fixed greatly exceeds any IT organizations ability to deploy the fixes. The status quo almost seems to assume that IT operations exist only to deploy patches and implement controls, instead of completing the projects that the business actually needs. This is not a patch management problem. Instead it requires a way to figure out what risks actually matter, and introducing mitigations that don”t jeopardize every other project commitment that the IT organization has, and jeopardize uptime and availability.”]
Source: https://www.csoonline.com/article/2137212/the-vulnerability-arms-race.html