They have gotten smarter about distributing their patches in the last few years with their "automatic update" mechanism. This works acceptably for a single user, but can be a real pain for enterprise-wide deployment.
Indeed, an entire cottage industry has arisen just to manage the application of Microsoft patches. Most of them use a server of some sort that distributes the patches to other machines, with a control interface that can allow for specific exceptions where needed. Whether the patches applied will break any mission-critical applications is always up in the air until proven otherwise.
It seems that Microsoft expects vulnerabilities to happen, and has integrated the need for corrective measures into their regular workflow. That is, patches now seem to be a regular every-30-day feature, not a response to events.
Patches to the Oracle 9i database necessitated by vulnerabilities that were disclosed in January showed up on the Oracle Web site the weekend after they were made public. The weekend, not just on a regular business-as-normal day.
But sadly, Oracle seems to have gone to a more laid-back approach as of late. It has gone to once-a-quarter updating, albeit (it says) with critical patches as needed.
An as-close-as-possible-to-immediate response to a problem builds confidence in customers. While they expect software problems to occur, how the manufacturer responds to them can either build up the confidence in the maker or destroy it. Treating security patches as just another software problem belies the seriousness that users see in them.
Perhaps it just takes Microsoft longer to fix things. Perhaps they have not developed this kind of core competency in-house so they can turn things around in a timely manner. Maybe Windows has turned into such a complex beast that changing it in any way gives rise to unwanted second order effects that must be dealt with before a patch can be released.
Whatever the case, even Microsoft has to realize there is a deep problem here.
So, while Microsoft and Oracle both released scheduled patches Tuesday, customers have come to realize that these are reactive efforts rather than proactive ones. And while customers may have to do business with a company that acts only reactively, they want to do business with one that acts in their interest proactively.
Editors Note: This story was updated with new comments from the author.