A study of Internet security flaws showed that for serious issues, half of vulnerable systems remain unfixed after 30 days.
The more serious the vulnerability, the quicker the companies patched it, the study found. Companies took longer to fix flaws thought to be less serious--as much as 60 days longer--by which time, in 80 percent of the cases, security researchers and hackers had released programs to exploit the flaws.
http://zdnet.com.com/2100-1105_2-5058058.html