Whenever a new “critical” vulnerability is found, the cry goes out across the land; Patch! Patch! Patch! Whenever a major incident is caused by known vulnerabilities the question is always Why didn’t they patch? We’ve known about this for months! They should have patched! Sometimes this is valid criticism, and learning why the organisation wasn’t patched can lead to some insights into failure modes.
There’s an old comment; “A Lie Can Travel Halfway Around the World While the Truth Is Putting On Its Shoes”. This came from a pre-internet world. Today a lie can travel around the world in seconds. Personal annecdote Last year I broke the MBR on every hard disk on my home server. I was panicing. I really didn’t want to rebuild and restore from backup, and then re-rip all my DVDs; such a time sink!