I'm in one of these "critical" industries that will be most likely be included under the benevolent government security umbrella provided by this bill. I've gotten pretty good at predicting how our loving, caring government is likely to respond to this type of challenge, to wit:

After a competitive bid involving only Cisco, Oracle and Microsoft, they will likely hire Cisco, Oracle and Microsoft to tell them what's needed. Unsurprisingly, the solution will include the requirement to purchase lots of expensive products from Cisco, Oracle and Microsoft.

This new regulatory function will obviously need oversight by the government. The government will expand (bloat?) the bureacracy by hiring an excessivly large number of underqualified, overpaid people to monitor compliance with their byzantine rules, which will constantly change to suit their whims. There will be minor incidents, which will be blamed on laziness and non-compliance by the industry. More regulations will be drafted, new equipment will be purchased and the bureacracy will expand even further.

At that point, we commence the never-ending circle of more regulation, more money paid to a select group of "certified" vendors and the unceasing growth of the bureacracy.

IT shops have to do what their users want, within the regulatory and financial framework laid down by government, corporate counsel, shareholders, lenders, legal privacy requirements, and all with an adoring eye focused on our fiduciary duty to our employees, customers and suppliers.

Just because a user wants to be able to have a neat toy doesn't mean we throw all those requirements to the wind. Trade secrets that leak out into the public domain through insecure devices means those secrets aren't, well... secret. Credit card numbers, social security numbers, private medical information and such all require a certain standard of care in handling, and if the device can't meet that standard, which means that we as a corporation can't CONTROL how that device is used, then we can't allow our users to have those devices, regardless of their heartfelt desires. The legal liability alone dictates what we can and can't do.

I really do like Apple products. I own far too many myself. However, we won't allow those devices on our internal network because of all the reasons I listed.

Leap seconds are a tiny bit of problem when you have to time-stamp transactions coming in from all over the globe and keep them in date/time order. Some OSes don't support leap seconds, which complicates matters. We have the procedures documented from the last time this happened in 2008, but, of course, we've changed OS, DB and message queue vendors since then, so nothing applies anymore.

Time to spin up a new project and pay some high-priced consultants a lot of money to rewrite the procedures documentation yet again. I suspect we'll take the coward's way out and shut down processing for a minute before until a minute after and resync the clocks in the interim.

That will, of course, be charged to our SLA downtime, which will affect everyone's performance reviews at the end of the year. All this for a single goddamn second.

If M$ released Windows 8 and simultaneously dropped support for Windows 7, that's probably exactly what would happen.

You totally missed the point. The actual deployment takes a few mouse clicks and the application is on its way to the enterprise. It's everything you have to coordinate beforehand that takes all the time. You have to test plugins, internal and external webapps and a zillion different things that users use a web browser for. You'd be surprised at what all has to be tested.

The actual deployment has to be planned. Migrate user settings, GPO updates, cleaning up previous versions, making sure you save and restore every little stupid thing. You have to create help desk and field services documentation (sometimes in multiple languages) and then train the helldesk idiots.

You have to coordinate back end webapp server changes. You have to test those changes.

You have to plan and schedule your pilot test. You have to gather feedback from your pilot users and possibly make changes and re-pilot.

THEN you can go production, and watch in amazement when the excrement hits the fan and a million-and-one things you never though of crop up.

I could press a button right now and have FF5 on 40k desktops by midnight. I'd lose my job, but I could do it.

Testing isn't hard, it just takes a lot of time and money. We have to CERTIFY exactly which of the several hundred internal and external webapps FireFox works with, and which it doesn't, and then create copious documentation in several languages for help desk and field personnel. We have to plan and manage GPO settings for dozens of different groups. If code changes have to be made on servers to support the new browser, that has to be coordinated across the enterprise.

There's more to it than browsing to a few websites and then letting the code fly.

Honestly, the history wasn't even considered. We had a big enough pile of user requests for FireFox, so we started the process for bringing new software into the enterprise. You assume management researched the matter and used their keen intellect to thoroughly evaluate the feasibility of supporting FireFox.

Management just nodded their head a lot and sent a 1-line email to the appropriate geek.

Short answer: We'll stick with IE, like we have since the dark ages.

tl;dr: FF and Chrome were being looked at as 'alternative' browsers, to give our users some choice. FF testing got off the ground, Chrome was still in the 'being-talked-about' stage. Testing monthly security patches is something we're intimately familiar with, and can knock out in a couple of days. There's a HUGE difference between testing patches and acceptance testing. With M$ patches, we have a pretty good idea what to test for, and we have our own pet M$ rep on-site to get us the info we need.

Simple: FF4 is the version that finally got management's attention and thus the testing cycle was started. Even with FF5 coming out, the testing would have continued on FF4, but with the cessation of security patches, that effort has been cancelled. We'd have to start over from scratch, and, right now, I just don't see that happening. Mozilla is no longer 'trusted' by management.

Yes, we do go through a montly patch testing cycle . It's not the same gruesome process as the thorough acceptance testing that goes into introducing a -brand new- browser into a corporate environment, but the important stuff does get tested.