Patching is Risky Business: By the Gartner Numbers

When I read Eyal’s blog, Why FWaaS is the Only Way Out of Endless Appliance Patching, I imagined a time in the immediate now (oxymoron intended); a time where the word “patching” is as quaint as rotary phones. In my mind, I was Marty McFly, jumping out of the DeLorean, shocked to discover that in the year 2025, we’re still patching appliance boxes.

But here’s the kicker: everything has changed. Except the way we think about patching.

Eyal pointed out how the only way to stop the endless hamster wheel of appliance patching is to eliminate the appliances themselves. The cloud-native model, like Firewall-as-a-Service (FWaaS), offers a way to finally decouple protection from manual remediation. And according to Gartner¹, this shift isn’t just necessary—it’s overdue.

The Patch That Broke the Business

Let’s start with the elephant in the room: patching breaks things. Often badly.

According to Gartner, many organizations suffer high-profile outages due to patches that don’t work as intended. These outages result in reputational damage and lost revenue, putting I&O (Infrastructure & Operations) teams at odds with their security counterparts​.

The friction is real. Security teams are under pressure to patch fast to meet static, checkbox-style compliance mandates. But I&O leaders—justifiably—want to test patches thoroughly before deploying them to production systems. After all, a bad patch can be just as damaging as a breach. Gartner summarizes it perfectly: “One hundred hours lost from an ill-behaving patch can have the same business impact as 100 hours lost from a cybersecurity incident”​.

This is exactly where the automated patching of FWaaS resolves the tug of war—offloading the burden from multiple internal teams while ensuring that both uptime and security posture are maintained. 

You Can’t Patch What Was Never Patched

Here’s another sobering fact: 12% of vulnerabilities disclosed each year remain unpatched. That’s right—according to Gartner’s research, we’re operating under the assumption that patching is our silver bullet, while more than one in ten vulnerabilities is never addressed with a vendor fix​.

This leaves enterprises continuously exposed to known risks—known in the sense that the organization is aware of them, yet unable or unwilling to address them. Reasons can include vendor inaction, operational complexity, or business constraints—risks that threat actors can and do scan for—creating persistent blind spots.

FWaaS helps close these gaps by delivering always-on protection that doesn’t depend on vendor patches or internal patching cycles.

The I&O (NetOps) and SecOps Tug-of-War

Disparate KPIs leave NetOps and SecOps caught in each other’s crossfire—turning every patching decision into a potential conflict between uptime and risk reduction. NetOps is judged on uptime. SecOps is judged on risk reduction. When patches threaten uptime, they threaten I&O KPIs. And when patches are delayed, security risks rise.

According to Gartner’s 2024 Designing and Building Modern Security Operations Survey, only 36% of I&O teams are actively engaged as part of a standing committee on vulnerability remediation​. The rest are consulted ad hoc—if at all. This lack of integration only deepens the patching paradox: The people responsible for keeping systems running and secure are not set up for collaborative success.

FWaaS helps bridge this divide by shifting patching responsibilities to the vendor, enabling consistent protection without compromising uptime or security priorities.

Business Impact: Risk Without Return

The business case for patching is often built on fear—but the returns aren’t always justified.

Gartner’s analysis of real-world exploitation trends shows that medium and high-severity vulnerabilities are exploited more often than “critical” ones, yet compliance-driven SLAs focus disproportionately on the latter​. That means teams are patching based on ratings, not relevance.

FWaaS changes that equation—taking an equal-rights stance by applying protections across all vulnerability severities. By addressing threats more holistically and consistently, it helps enterprises strengthen their overall security posture without relying solely on severity scores or manual prioritization.

Final Thoughts: Let’s Break the Cycle

And here’s where Eyal’s original point about FWaaS becomes so powerful: by moving away from appliances, we not only eliminate the need for endless patching cycles, we gain agility. A cloud-native platform can implement mitigations in real-time, without waiting for patch deployment windows or change freezes.

Trying to predict which vulnerability will be exploited next or finding the right patch window is like handing Biff, from Back to the Future, the sports almanac—bad things happen. FWaaS doesn’t guess; it protects in real-time.

Eyal’s call to abandon appliance patching was the first step. The numbers from Gartner make the case even clearer: FWaaS is the answer.

Or, to paraphrase Doc Brown: “Where we’re going, we don’t need patch windows.”

¹Gartner, “We’re Not Patching Our Way Out of Vulnerability Exposure”, 24 February 2025 – ID G00810627