c-net is reporting that Microsoft's own servers were successfully attacked. It also includes this perfect quote:
�Seems like every time I install a system patch, something else goes wrong with my system,� said Frank Beier, president of Web design firm Dynamic Webs. The designer said many system administrators won�t patch for many months, because they don�t trust Microsoft to fix the problem without breaking some other function of the software.
�In most cases, I'm better off just playing Russian roulette with the hackers until our servers are broken into,� he said.
Which makes me think. Every time there's a large-scale attack, folks come out with a number like the attack cost businesses $35 million. How much would it have cost businesses, though, if everyone had installed the security patch on the same day last summer, and had all of their systems break due to the patch itself? Admins across the country applying the patch, applying other patches, fixing conflicts, re-installing, etc, for several days. Sure, I'd call that $35 million also, probably. But, since admins tend to not all patch on the day a patch is released, we don't see the big balloon cost to business of the patches.
Instead, lots of businesses lost a few thousand here and there as their admins are waylayed attempting to make the patches and all other software on the machine happy.
So, I'd like to see a study to determine how much applying wonky patches costs business each year.
The quote above may have it right on the money. If you patch a system that never gets broken into, you've spent time (and thus money) for nothing. A guaranteed loss. If you don't patch a system that never gets broken into, you've spent no time (thus no money). If you don't patch a system that does eventually get broken into, you'll spent time (thus money) fixing it. So, I think these guys are typically playing the probability game. An uncertain cost later is better than a certain cost now, monetarily speaking.