In 2012, 80% of vulnerabilities had a patch available on the day they were disclosed. This means that it is possible to remediate the majority of vulnerabilities, and that organizations and private users alike have a solution available for the root cause of security issues: vulnerabilities in software. The fact that 20% of vulnerabilities are without patches for longer than the first day of disclosure, however, means that patch management is not sufficient protection
– vulnerability intelligence and alternative remediation measures are required, if organizations wish to keep their IT infrastructure watertight.
It is unlikely that many more than 80% of vulnerabilities will have a patch available in the future, and it is realistic to assume that 20% is a representative proportion of software products that are not patched quickly – for example as a result of the lack of vendor resources, uncoordinated releases, zero-days or vulnerabilities in End-of-Life products. Increased cooperation between vendors and researchers
That 80% of vulnerabilities have a patch available on the day of disclosure is an improvement to the previous year, 2011, in which 72% had a patch available on the day of disclosure.
The most likely explanation for this improvement in Time-to-Patch is that more researchers coordinate their vulnerability reports with vendors, which mean that patches are available immediately. (Source