Even the best automated patching system is only one facet of an enterprise security strategy. Even if your organization has an effective patch management process in place, it doesn't mean that you're vulnerability-free. There is always a lag between when a vulnerability is first discovered and when the patch is released. Moreover, once the patch is released, yet another lag exists while an organization tests and rolls out the patch.

This being the case, many security vendors on the patch management periphery argue that patching must work in concert with other defense mechanisms, such as vulnerability scanners and intrusion-prevention systems (IPS).

"A patch cycle across a large enterprise can take several months," says Andre Yee, president and CEO of NFR Security, an IPS provider. "Automation eases this, but a big part of patching is still the procedures involved in evaluating your network inventory, applying the patch, and then verifying that the patching has been successful."

Zero-day attacks are the most obvious pitfall of relying too heavily on patching, but as security companies further automate patching, so too do hackers automate their attacks - thus creating a kind of arms race.

Many of these new attacks are self-propagating. Sobig, for instance, had a built-in SMTP engine. "I never want to be quoted as arguing against patching," Yee says. "It is necessary but insufficient. What is needed is some sort of real-time threat prevention."

For certain industry sectors, such as healthcare and financials, there is also a greater need for testing before patching. "Today's patching problems extend way beyond patch availability," says Joseph Cooper, chairman and CEO of Digital Defense, a provider of network vulnerability tools. "We all know that eventually patches will be made available, but what if you can't utilize them? What if the patch your IT department installs takes down your entire online banking system or, even worse, the only MRI machine available at your local hospital?"

IT managers have to make tough choices when it comes to patching business-critical applications, but in the end, it's all about managing risk. Patching reduces risk but not to zero.