I wonder if #5 refers to a false sense of security. Just because you patch doesn't mean you're 100% safe. There have been Microsoft patches and linux kernel fixes (e.g., ptrace exploits) where the patch worked but the attackers figured out new ways around the patch. This might be partially why MS made the statement that exploits are only created after the patch is released.