Where the red bar is shorter than blue, customers patched aggressively. Critical-rated CVEs make up roughly a tenth of all published vulnerabilities, but only a small slice of what’s left unpatched, because Criticals get attention. Mediums also shrink, probably because they ride along with the monthly Windows update, which gets applied all at once. The High band swells in the other direction: it’s where customers fix most of the issues but not all of them, and the rest piles up.

What’s hard to patch

Three patterns explain most of the unpatched backlog.

1. Configuration outweighs code.  The most common finding across the customer base isn’t a software bug—it’s an untrusted (usually equivalent to self-signed) Transport Layer Security / Secure Sockets Layer (TLS/SSL) server certificate. The rest of the top ten is similar:

• Weak cipher suites
• Static‑key ciphers
• Self‑signed certificates
• Server Message Block (SMB) signing not required
• Transport Layer Security (TLS) 1.0 still enabled
• Susceptibility to the Browser Exploit Against Secure Sockets Layer / Transport Layer Security (BEAST) attack
• Default Simple Network Management Protocol (SNMP) community names

None of these require a vendor patch. They require configuration hygiene—someone to revisit long‑forgotten settings on long‑running services. That operator action is the real bottleneck.

2. Operating system vs applications. Microsoft-tagged issues (Windows OS patches, Office, Edge) dominate the customer footprint, reflecting both endpoint counts and the volume of Microsoft’s monthly release cadence. Linux is essentially absent from the backlog, which has two equally honest explanations: many Linux servers auto-update via the package manager, and the customer base is simply Windows-heavy. Browser apps (Chrome, Edge) and the occasional Adobe Acrobat / Java install are the next-biggest category.

3. Old CVEs age out, with exceptions. The second chart traces every unpatched CVE by the year it was first published, as a share of the backlog (red) versus its share of the whole National Vulnerability Database (NVD) (blue).