[Update, May 22, added link to “Observing”.]
Good posts by Ross Anderson, George Danezis and Steve Bellovin say much of what I’d wanted to say, and more. So go take a read. [Also worth reading “Observing the WannaCry fallout: confusing advice and playing the blame game.”]
To what Bellovin says, I would add that 15 years ago, Steve Beattie, Crispin Cowan and I did some math for Timing the Application of Security Patches for Optimal Uptime, and estimated that likelihood of attack starts to exceed likelihood of damage from the patch at around 10 days. To my knowledge, no one has updated the dataset or re-run the numbers, but I would expect that improvements in test automation and improvement in attack frameworks make that closer to patch release, not further from it. My experience is that many organizations with dependencies on older technology also have not invested in test automation that enables even fast ‘smoke testing’ of their systems. Such test rigs allow you to quickly start the clock that Steve hypothesizes.