"If I were the CIO for a big company with sensitive information, patching opersating systems would be way down on my list of how to protect the data."
That's kinda silly. Platform bugs are the easiest to fix. Just get a decent multi platform patch management system in place and keep stuff up to daye.
Unpatched boxes are childs play to own. Literally. Go look at "Metasploit" to see why.
Platform bugs aren't necessarily all that easy to fix. Some require reboots, some are huge and chew up bandwidth, and you have other issues to deal with as well, such as what to do about laptops who dial into the system and aren't up to date. If Road Warrior Bob is on the cusp of a big deal selling widgets to Beijing and needs to send a spreadsheet to headquarters but the system won't let him log in until he's downloaded a 25 MB patch -- on a 56 bps modem with an iffy connection -- then you have problems.