@honeymonster: You're lumping in all fixes to that average - not counting severity of exploitation, whether or not an exploit is even usable in the real world (that is, what chance of success does an exploit have against a random system?), or under what conditions the exploit can be run (local, remote, etc).
Most vendors will prioritize accordingly. A remote exploit that can cause massive damage with little effort will obviously have a higher priority than a local-access exploit that requires a victim to download some trojan from a dodgy website, then type in an administrative password. An exploit that has too many moving parts will likely wind up in the bottom of the priority list no matter what (e.g. first the exploit has to insure that a certain program at a certain patch level exists, then hope that the user disabled a few obscure system protections, then hope they have more than 4GB of RAM, etc...)
So yeah - the "average" may be 60 days, but Microsoft (among others) have had some pretty severe (and known) bugs that they have studiously kept sitting under the rug for upwards of 6 months to a year or more. All it would take is for someone not-so-white-hatted to find and utilize it.
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
