"There's no place for that kind of thinking, to patch less," says St. Elizabeth's Burns. "As soon as an exploit takes advantage of an unknown vulnerability--and one will--those guys will be scratching their heads. He's using old-school risk analysis. How can you come up with an accurate probability matrix on blended threat viruses using 12 years of data when they've only been around for two years?"

Add to this a sort of emotional inability to not patch--sort of like forgetting to put on your watch and feeling naked all day. Several CISOs described an illogical pull to patch, even if the risk equation determined that less patching is equally or even more effective.

There's also an emerging hybrid approach--which combines the patch management software with expertise and policy management. It also combines the costs of paying smart people to know your risks while also investing in new software.

"There's a huge push right when P&L captains are telling CISOs to keep costs down," says Hernan. That might explain why the executive security ranks are far less enamored by the Patch Less/Patch More philosophies. The polar approaches haven't yet spurred CISOs to take sides so much as they've flummoxed them. Ambivalent confusion reigns.

Hernan says, "I can understand the frustration that can lead to the attitude of, 'Forget it, I can't patch everything,' but that person's taking a big chance. On the other hand, he's also taking a big chance applying a patch."