Major Firms Leave Critical Cyber Risks Unpatched for Months

The KYND analysis underscores a systemic failure in vulnerability management among the world’s largest enterprises. By examining more than 2,000 organizations, the study revealed that a significant minority—11 percent—were sitting on flaws that threat actors were already weaponising. Even more alarming, 88 percent of those exposures lingered for half a year or longer, turning what could be routine fixes into high‑impact liabilities. This pattern cuts across critical infrastructure, from web‑application platforms like WordPress to core enterprise systems such as Oracle, suggesting that patch fatigue is not confined to any single technology stack.

For cyber insurers, the findings are a wake‑up call. Traditional underwriting often relies on point‑in‑time vulnerability counts, but the persistence of unpatched, actively exploited flaws signals deeper operational weaknesses. Insurers now face the prospect of higher claim frequencies and larger loss severities as these latent risks materialise. Consequently, policy pricing is shifting to incorporate remediation speed as a key risk indicator, rewarding organisations that demonstrate rapid patch cycles while penalising chronic laggards. This behavioural signal reshapes portfolio risk models, making remediation maturity a pivotal factor in cyber‑insurance underwriting.

The broader industry must act before another high‑profile incident, like the October 2025 Windows Server Update Services exploit, repeats. That breach illustrated how quickly attackers can leverage known flaws when patches are delayed, resulting in full system compromise. Companies need to tighten their patch governance, automate critical updates, and integrate real‑time threat intelligence to prioritize fixes. As regulatory scrutiny intensifies and cyber coverage demand soars, organisations that close the remediation gap will not only reduce breach risk but also secure more favourable insurance terms, positioning themselves competitively in an increasingly security‑focused market.