Those of you out there tasked with discovering vulnerable machines and maintaining their patch status- how do you do it?

I am curious which methods or tools are most used for determining which machines need patching or what patches they need? Are you using open source or commercial programs? How do you track the patch implementation to ensure you have completed the job?

Are there any other methods anyone could recommend for finding or identifying machines that need to be patched- short of performing an actual vulnerability scan? For instance, I could just do a port scan on my network to identify machines that might have vulnerable ports open when they shouldn't have. Any other ideas along those lines?