Empirical results of correlating security information with typical corporate software portfolios will be presented. Patches are an effective means to escape the arms race with cybercriminals and the majority of vulnerabilities have patches ready on the day of disclosure. The dynamics of critical programs will be quantified and patching strategies compared to maximize risk reduction with limited resources.