In this linked article where an NSA employee gives advice on how to keep your systems secure, it should become crystal clear that you have to keep your security patching up-to-date.
According to the quotes in the article even security vulnerabilities that existed only for hours on a system can be exploited by adversaries.
So the easy answer to the above question is, implement all security patches as soon as they are available. If you have cloud applications, you have to speak to your software vendor about their SLAs.
Easier said than done, isn’t it? A lot of customers that I have spoken to in the past, take months if not a year for when they implement security patches. That should be a hacker’s paradise!
However, a few customers that I have spoken with, have created a copy of their system landscapes. Here they immediately implement any security patches when available. They run automated tests and have application experts test the applications for a pre-defined period of up to a month. If all applications run without breaks, they implement the security patches into their productive system landscapes afterwards.
This significantly reduces the implementation times of security patches and sounds like a good best practice.
Happy security patching.