On-demand risk and compliance software provider Qualys has launched a new piece of research which provides a neat if somewhat depressing snapshot into the attitude of organisations to patching known vulnerabilities.

The vendor analysed over 680 million vulnerabilities out of which 72 million are critical, generated by around 80 million scans of its customers' systems last year.

According to the findings, the average time it takes for firms to patch just 50 per cent of the critical vulnerabilities they find has dropped a tiny amount from when similar research was done in 2004, to about 30 days.

Some industries are doing well - the service industry has the shortest recorded time of 21 days - while others are less good; manufacturing ranked last with 51 days, for example.

According to Qualys CTO Wolfgang Kandek, there is now consciousness about patching, which is an important step forward. He added that the figures may have appeared slightly disappointing because the vendor is now tracking more variants than in previous years, so there are in effect more vulnerabilities for customers to patch.

However, the danger lies now not with OS vulnerabities, which he agreed most customers have got on top of, but vulnerabilities in things like media players and other applications.

"The OS is OK but people are missing the other stuff," he warned. "Unfortunately, attackers are not at that level - they've got much better since 2004, with single or zero day threats now common."

Plenty of food for thought for CSOs at Infosecurity Europe this year then.