The problem is that the FDA is requiring that the patches/updates be 'tested the update for any effect on clinical function'--knowing how FDA testing can and often runs, this probably in practice translates to 'not at all.'
If the tests are limited purely to the ones relevant and necessary, it'd be one thing, but the FDA has a well-earned rep for requiring tests that are antique and/or irrelevant. This is approximately like having somebody in upper management decide that any change whatsoever to the computers can only be done after huge, time-consuming & expensive battery of tests, and that you cannot skip any step under any circumstances whatsoever, even if you would like to know exactly how 'applying humorous sticker to monitor stand' could possibly result in software issues.
It is not nearly that clear cut. Testing requirements vary depending on the risk classification level. Things like a pacemaker or insulin pump are Class III devices, and the requirements for that are indeed very strict. But PACS systems are Class II, which is not nearly as onerous. And both the FDA and the IEC-62304 standard are starting to acknowledge that not taking software updates is likely more risky than taking them, precisely because of the huge numbers of bugs and vulnerabilities found.
But vendors also have no interest in patching old software. The company I work for is good about updating our OTS/SOUP with new releases, and doing a risk analysis and testing of the update, but we do that for new releases, not something we released 2 years ago. We want our customers to take the update (most are on maintenance, so it is free), rather than spend our time releasing updates to 4 or 5 different versions of software.