That is a terrible policy. I spent a long night at an office of a fortune 500 company for that very reason. They didn't see any reason to apply bios patches because they were just to add support for newer hardware, not to fix any sort of vulnerability. Fair enough. Several years went by and their terminal server had a processor go finicky on them. They determined the available spares included processors that were compatible. I asked "has the bios been updated to support the newer processors?" I was assured that they do regular patching and it would not be a problem. I arrive on site, install the new processors and get no post. A bit of troubleshooting and we determine it doesn't recognize the processors because the bios was out of date. Really long story shortened - we had to shutdown another server, pull the processors, install them in the problem server, boot, patch the bios, shut down move the processors back in the donor server, and then reinstall the new processors. Of course this was in a server room that was an overstuffed shoe box so a number of acrobatics were required to get the servers extended to a point they could be worked on.
So what should have been a 10-15 minute processor replacement ended up causing several hours of downtime and the unscheduled shutdown of another server.
Don't be lazy!
That said, as someone else stated, I usually wait a couple months to patch (especially HP) unless it is considered a critical issue or I have a straightforward fail-over plan. HP has screwed my arrays etc. more than once with their quality updates.