Companies leave vulnerabilities unpatched for up to 120 days

http://www.net-security.org/secworld.php?id=18911