A sobering thought.
So, in a corner case example, what does a boundary condition like the out-of-cycle patch release of MS08-067 mean when your infrastructure and applications are no longer yours to manage and the ownership of the "stack" disintermediates you from being able to control how, when or even if vulnerability remediation anywhere in the stack (from the network on up to the app) is assessed, tested or deployed.
(Via Rational Survivability-Patching The Cloud?.)
As old old mainframe guy, I am positive that most platforms have enough "junk" installed on them so that NO ONE can have what we in the old days would call "system assurance". Say what one wants about the old centralized computing systems, they had change control. Until IBM started to NOT share its microcode and source code with its Customers, any one could sit down with a module and examine what was in fact running with what was supposed to be running. Often when there was an "opportunity", the first thing that folks did was conduct a "witch hunt" for what was wrong. Today, that is impossible and unheard of.
What's even more amusing to us "old hands" is the Linux movement and the Web-i-fication of applications. Funny how the world of "distributed computing" is swinging back to "centralization" with Web Operating Systems and Web Applications.
The Linux distribtuions are putting the end users back in control of the Operating System source code.
The Web application are making "system assurance" impossible.
A virus writer no longer has the luxury of the Microsoft mono-culture. Find a operating system hole and exploit it everywhere. And, the Microsoft death grip on applications (i.e., word processing) is being exploded by Google Docs, Zoho, and their ilk. As well as competed with by Open Office.
Anyone who feels confident that they, and their data, are not literally walking a high-wire tight rope across Niagra Falls on a windy day ... Well, they are at best naive and at worst foolish.
John,
In most cases the IT folks are not the one making the final decision. IT security will often warn the business that certain critical systems are exposed. Either IT communicates poorly or the business thinks a strongly worded contract is "risk mitigation".