Why 9 in 10 Firms Leave Exploited Vulnerabilities Unpatched for Six Months

Almost nine in ten large organisations that are exposed to actively exploited vulnerabilities leave those weaknesses unpatched for six months or longer, according to fresh industry analysis that should alarm CISOs, boards, and cyber insurers alike.

Background​

The headline figure—almost 9 in 10 firms remain vulnerable to cyber risks—has been circulating in trade coverage this week after a cyber risk analytics provider published an analysis of more than 2,000 companies, including members of the FTSE 350 and the S&P 500. The study found that 11% of organisations were exposed to vulnerabilities that attackers are already exploiting in the wild, and that of that exposed cohort, 88% remained vulnerable for at least six months despite fixes being available.
Those numbers are striking because they combine two separate problems: (1) the presence of actively exploited vulnerabilities in major enterprise systems and (2) a persistent inability—or unwillingness—to remediate those exposures in a timely way. Together, these create a durable window of opportunity for attackers to escalate incidents into large-scale breaches, ransomware outbreaks, or supply-chain attacks.
This article unpacks the data, places it in the context of other industry studies, explains why remediation delays persist, and offers a practical roadmap that organisations can use to reduce their exposure and improve cyber resilience.

---

Overview: what the numbers actually say​

The core findings, in plain terms​

• A sample of 2,000+ large organisations showed that 11% had at least one vulnerability that was already being exploited by attackers.
• Among those organisations with actively exploited exposures, 88% did not fix the problem within six months.
• The most common high-risk category in the analysis was remote code execution (RCE), which represented roughly 31% of the top vulnerabilities identified in the study.
• The analysis called out major enterprise components—web applications, widely used platforms such as Oracle, WordPress and Apache, and networking/communication infrastructure—as repeat problem areas.
• The study also highlighted real-world events (notably a critical Windows Server Update Services issue from October 2025) to illustrate how quickly unpatched flaws can be weaponised.

These numbers matter because they reflect more than simple operational backlog: they reveal systemic weaknesses in remediation, asset visibility, and governance.

How this maps to broader industry trends​

The findings are not an isolated anomaly. Multiple industry reports over the last two years show:

• Very high proportions of organisations reporting attacks or breaches in the past year.
• A rising share of incidents tied to third‑party and supply‑chain exposures.
• Persistent cyber skills shortages and budget pressures that impede remediation.
• Widening attention from insurers, who are increasingly using remediation speed and patch practices as underwriting signals.

Taken together, the landscape looks like this: attackers are scanning, weaponising and exploiting known flaws; organisations are detecting those flaws but not closing them quickly enough; and the downstream consequences are higher breach risk, higher insurance scrutiny, and growing systemic fragility.

---

Why remediations stall: the root causes​

It’s tempting to assume that the failure to patch is merely laziness or neglect. In reality, the causes are complex and overlapping. Below are the most common structural drivers behind the six‑month exposure windows.

1. Lack of accurate asset and exposure visibility​

Organisations rarely have a single, authoritative inventory of internet‑facing services, legacy systems, and shadow IT. Without accurate discovery and continuous scanning, teams can’t even prioritise the right fixes.

• Many enterprises manage thousands of software components across hybrid environments, making manual tracking impractical.
• Cloud-native services, ephemeral containers, and third‑party SaaS add additional layers of opacity.

2. Risk‑aware prioritisation versus operational disruption​

Applying a patch to a mission‑critical system can break integrations or force downtime that business teams resist.

• IT and application owners frequently delay updates because they fear outages or functional regressions.
• Change control windows, testing requirements, and complex dependency graphs extend remediation timelines materially.

3. Poor remediation ownership and processes​

Detection tools are outpacing remediation workflows. Security teams often lack the authority or the channel to force a patching change across siloed application teams.

• Vulnerability scanning finds problems, but remediation typically sits with DevOps or infrastructure teams.
• Without a clear SLA and escalation path, findings linger.

4. Third‑party and supply‑chain blind spots​

A vendor or outsourced provider can be the weak link. Remediation responsibility and visibility are often contractual grey areas.

• Organisations rely on vendors for cloud, middleware, and managed services—yet have limited enforcement power over their patch cadence.
• Fourth‑party dependencies (vendors’ vendors) create hidden attack paths.

5. Human capital and skills shortages​

There is a persistent shortage of skilled cybersecurity staff, particularly those who can safely test and deploy patches across complex environments.

• Security automation and orchestration tools help, but they require expertise to configure and maintain.
• Recruitment and training lags increase reliance on legacy processes.

6. Complexity of modern exploit chains (and commoditised exploit tooling)​

Threat actors have built reliable, automated exploitation toolchains. A single proof‑of‑concept released publicly can drive rapid, automated scanning and exploitation by diverse actors.

• Critical unauthenticated RCE vulnerabilities (for example, a major WSUS flaw disclosed in October 2025) illustrate how quickly exposure becomes exploitation when a PoC is available.

---

The consequences: why six months is a dangerous window​

Leaving actively exploited vulnerabilities unpatched for half a year has cascading effects:

• Higher probability of compromise: The more time an exposure remains, the more likely an attacker will find and exploit it.
• Larger blast radius: Persistent exposures enable sophisticated lateral movement, making an incident escalate from a single server compromise to a domain‑wide breach.
• Insurance and regulatory impact: Insurers are already adjusting premiums and terms based on remediation discipline. Regulators and auditors expect demonstrable operational security practices.
• Market and reputational risk: The consumer and business impact of breaches erodes trust; long remediation delays are a telling signal of operational weakness.
• Supply‑chain amplification: A vulnerable supplier can be a vector to many downstream organisations—so slow patching at one firm can create systemic exposures.

In short, six months is not a benign timeframe; it is long enough for threat actors to weaponise exposures, automate exploitation campaigns, and sell access in criminal markets.

---

Critical assessment: strengths and limitations of the headline study​

No single analysis is perfect. The recent study delivers an important and actionable signal, but journalists and decision‑makers should read the findings with a critical eye.

Strengths​

• Data scale and scope: Analysing more than 2,000 organisations—especially from FTSE 350 and S&P 500 constituents—gives the findings weight because these firms are high-value targets with significant digital footprints.
• Focus on actively exploited vulnerabilities: By concentrating on vulnerabilities known to be exploited in the wild, the study avoids inflated alarm from low‑risk findings and prioritises practical risk.
• Operational signal: The six‑month persistence metric is an operational indicator that underwriters and boards can use for portfolio-level risk assessments.

Limitations and caveats​

• Selection bias: Publicly observable exposures (internet‑facing systems) are easier to measure than internal systems; the study may undercount internal exposures or overrepresent firms with public infrastructure.
• Binary remediation metric: Measuring whether a vulnerability remained exposed for six months does not capture partial mitigations (for example, compensating controls, network segmentation, or access restrictions) that may reduce real-world risk.
• Context sensitivity: The severity of remaining exposed depends on exploitability context—exposure on an isolated management subnet differs from exposure on an internet‑facing service.
• No direct causality to breaches: While prolonged exposure increases breach probability, the study does not claim every unpatched system led to a breach—only that the risk window was elevated.

Where the study is clear—and where independent coverage corroborates it—is in demonstrating a persistent gap between discovery and remediation in large organisations. That signal is robust across different reporters and subsequent industry commentary.

---

Real‑world examples that underline the risk​

Several high‑profile incidents over the past 18 months show how quickly attackers can weaponise known weaknesses:

• A widely reported remote code execution vulnerability in Windows Server Update Services was patched out‑of‑band in October 2025 after public proof‑of‑concepts and active exploitation were observed. This advisory prompted urgent action from governments and major cloud providers and demonstrated how an exposed infrastructure role can rapidly become an enterprise‑wide failure point.
• Vendor and third‑party incidents continue to drive breaches. Recent sector analyses show that a sizable fraction of fintech and financial services incidents originate with third‑party vendors, reinforcing that corporate patch discipline alone is insufficient without supply‑chain enforcement.
• Repeat exposures in widely used components—web frameworks, content management systems, and middleware—illustrate how common codebases create reusable attack surfaces for adversaries.

These examples make the high‑level analysis tangible: when a critical, unauthenticated flaw is exposed in widely deployed infrastructure, remediation delays amplify risk rapidly.

---

What boards, CISOs and CTOs should do now: practical remediation roadmap​

This is not a theoretical exercise. Organisations can materially reduce exposure with deliberate changes to governance, tooling, and processes. Below is a pragmatic, prioritised list you can act on this week, month, and quarter.

Immediate (first 7 days)​

• Identify and isolate internet-exposed services.
• Inventory all services with public IPs or open management ports; restrict or block access where feasible.
• Apply emergency mitigations for known high‑risk CVEs.
• If a patch isn’t immediately possible, implement network blocks, host-level firewall rules, or disable the vulnerable service.
• Revise escalation rules for actively exploited CVEs.
• Any vulnerability on the KEV (Known Exploited Vulnerabilities) list should trigger an executive escalation path.

Short term (first 30 days)​

• Establish a remediation SLA matrix.
• Define required remediation timelines by severity (for example: critical/actively exploited = 7 days; high = 30 days).
• Centralise vulnerability triage and remediation ownership.
• Create a cross-functional remediation committee that includes security, infrastructure, and application owners to remove handoff friction.
• Run a supply‑chain audit focusing on critical vendors.
• Obtain patching cadences, change controls and breach notification commitments from top-tier suppliers.

Medium term (1–3 months)​

• Deploy or extend exposure management and prioritisation tooling.
• Invest in attack surface management, CSPM (cloud security posture management), and exposure-aware vulnerability scoring.
• Automate testing and canary patching.
• Use blue/green or canary deployments to reduce the risk of breaking production while accelerating patching throughput.
• Embed patching KPIs into executive scorecards.
• Measure mean time to remediate (MTTR) for critical CVEs and report to the board monthly.

Long term (3–12 months)​

• Adopt Zero Trust principles and microsegmentation.
• Reduce the blast radius of any single exploited component to prevent lateral movement.
• Strengthen third‑party contractual requirements.
• Make remediation speed, transparency, and audit rights contractual terms for critical suppliers.
• Invest in workforce upskilling and retention.
• Close skill gaps with targeted hiring, apprenticeships, and partnerships with managed security providers where hiring capacity is constrained.

---

Insurance and regulatory angles: what to expect​

Cyber insurers are already recalibrating risk models. Underwriters are moving beyond static vulnerability counts to operational discipline signals—patch cadence, time‑to‑remediate, and evidence of compensating controls. Organisations with chronic remediation delays should expect:

• Higher premiums and narrower coverage for cyber policies.
• Greater insistence on pre‑bind assessments and continuous monitoring.
• More frequent policy exclusions for known unremediated exposures.

Regulators and auditors will also pay attention. Where customer or citizen data is involved, long exposure windows may be interpreted as insufficient reasonable care in investigations after an incident.

---

Balancing speed and safety: testing, automation, and organisational change​

Remediation is not solely a tooling problem; it is a process and culture problem. The optimal balance delivers rapid patching without breaking business-critical systems. Key practices include:

• Incremental automation: automate the low-risk remediation steps first (e.g., trivial configuration drifts) while human experts focus on complex change tasks.
• Pre-production mirroring: maintain staging environments that accurately reflect production for fast verification of patches.
• Runbooks and playbooks: codify remediation steps for common CRITICAL CVEs so response does not depend on a single individual.
• Business engagement: CISOs must equip business leaders with clear risk tradeoffs so patching decisions are professional, not political.

---

Risks of overreaction: don’t throw the baby out with the bathwater​

While urgency is warranted, knee‑jerk mass blocking or ill‑considered global patching can create operational outages that have real business costs. A controlled, risk‑based approach is essential:

• Prioritise exposures that are exploitable and internet-facing first.
• Combine short‑term network mitigations with a clear patch timeline.
• Coordinate with change control to avoid unnecessary downtime.

A disciplined, measured approach reduces both security and operational risk.

---

Conclusion: a pragmatic call to action​

The headline—almost 9 in 10 firms remain vulnerable to cyber risks—is a blunt but accurate reflection of a deeper operational failure: organisations can detect high‑severity flaws but are frequently unable to close them quickly. That persistent window of exposure is where attackers thrive.
The remedy is straightforward in concept but challenging in execution: improve visibility, tighten governance, automate safely, and create cross‑functional accountability for remediation. For boards and C‑level leaders the message is clear: cyber resilience is no longer an IT metric; it is a business metric that affects insurance, compliance, and reputation.
Today’s threat actors are efficient, automated, and opportunistic. Organisations that treat remediation speed as a strategic priority—backed by the right tools, processes, and leadership—will substantially reduce their probability of catastrophic incidents. Those that don’t risk being the next high‑profile entry in a breach timeline chart.

---

Source: FinTech Global Almost 9 in 10 firms remain vulnerable to cyber risks