A 30-day patching cycle is "significant exposure," Gerhard Eschelbeck, chief technology officer and vice president of engineering at Qualys, said in presenting the data at a panel held during last week's RSA Conference in San Francisco.
"We have to make every possible effort to make this cycle shorter," he said.
Eschelbeck said companies need to focus on the top 10 most critical vulnerabilities, but he noted that the list is not static.
"Fifty percent of the most prevalent and critical vulnerabilities are being replaced by new ones on an annual basis," he said. "This top 10 list is a shifting target."
In addition, old vulnerabilities, such as the one that led to the Code Red attack still linger. "Some vulnerabilities will never go away from the internet," Eschelbeck said.