Fully patched is in the eye of the beholder
At Blackhat you can read between the lines that “fully patched” doesn’t mean you are fully secure. At any point in time there are any number of updates that vendors are working on. Some of them are being worked on with a security researcher, some are being worked on because someone found a vuln and it’s popping up in the wild.
These days the bad stuff isn’t just IE. Isn’t just active X, isn’t just adobe, isn’t just quicktime, isn’t just flash, isn’t just rogue a/v coming in through bad links in google.
These days I’m using stuff like opendns and blocking urls. I’m making sure we’re not running as admin.
But if you say on any given day that “Hey I’m fully patched, I’m secure”…. guess again…