My former company was a spam company, but yet it was maintained by a non-security concious boss. it wasnt until 3 months after I left (after being there for over 2 years) that they finally cracked down and got a firewall. Installing said firewall after the business was in full swing.. yea. I dont envy the monkey that took my place.
But the same standard was applied for patchs, we were told to -never- reboot certain dbs.. which HAD to have external ips, and no firewalls. Yupp, you got it, live db's with thousands and thousands of credit cards owned by a spam company... a 'sort of' big target eh?
Yea, so when the db's died due to being owned due to lack of patchs, it was no supprise that we were yelled at and held responsible by the same person who continually told us not to reboot. And if you went over his head to get permission for various VERY important IIS patchs or security updates, you were told to reboot the server "RIGHT NOW YOU IDIOT" by the boss, due to the fact he didnt know what was going on but yet wanted to pretend he did.
In short, non IT people shouldnt be involved in the patch/security process, PHB's suck.
Personally, at my new job, i'm in charge of co-ordinating any deployments to new servers, and the change is refreshing, with the amount of firewalls, its not as a desperate situation too.
If its a major patch, 3 days to upgrade if it requires a reboot, just to notify all people working on it. If its a transparent change, possibly 24 hours and they're fully deployed.
Of course, I only work with unix now, (thank god) I dont know how the intel side handles their issues.
Possibly they pray?