And early Big Idea, and it’s security related. In a recent discussion at the Infrastructure, Operations & Cloud Strategies Conference, Craig Lawson, a Research Vice President at Gartner, suggested that organizations may not need to rush into implementing every security patch that becomes available. He emphasized that most companies struggle to keep up with patching efforts and may be misled into believing that accelerating patches is the solution to their security vulnerabilities. Lawson pointed out that only 8 to 9 percent of vulnerabilities are actively exploited by cybercriminals, who often target less critical flaws rather than the most severe issues. He noted that the overwhelming number of patches issued can lead to complications, as developers may release new patches for software components that are interdependent. This complexity can result in organizations facing more problems without a corresponding decrease in successful cyberattacks. Lawson advocates for a tailored approach that emphasizes collaboration across teams to prioritize patches based on actual security needs.
Why do we care?
The patching treadmill is unsustainable—especially for resource-constrained environments.
Lawson points out a real-world issue: excessive patching can break dependencies, cause downtime, and distract from higher-priority threats. For MSPs juggling multiple stacks across client environments, the real risk is instability from uncoordinated patch application, not just unpatched flaws.
Misused, this advice becomes an excuse for inaction. Lazy or under-resourced orgs may take “don’t patch everything” to mean “don’t patch much.” That’s not Lawson’s point. The takeaway is to patch smarter, not slower or less.