In May 2017, WannaCry ransomware rapidly proliferated around the Internet, despite availability of a patch released by Microsoft in March. This is simply one of the most recent and notable attacks exploiting known flaws—there is a constant barrage of attacks, large and small. Although cyber security is more complicated than a simple failure to patch end systems, analysis of cyber security incidents has consistently shown that a failure to apply patches is one of the leading enablers of successful attacks.
We have reached a point in the evolution of cyber security where handsoff, behind-the-scenes cyber defense should be the norm. Clearly, the best solution would be to deploy less-vulnerable systems. This is a topic that has received great attention for approximately five decades, but developers continue to resist using tools and techniques that have been shown to be effective, such as code minimization, employing formal development methods, and using type-safe languages. Additionally, consumers are widely believed to be reluctant to accept the software limitations and increased costs that result from some of these more secure development practices. Those issues, coupled with the vast amount of legacy code in place and being reused, have meant that better security is often, at best, an "add-on" rather than "built-in" function. Patching and configuration changes will be required indefinitely to keep the current infrastructure at least moderately secure.