In 2004 and 2009 we published research around the lifespan of vulnerabilities. One of the metrics was the half-life, i.e. how long does it take for a vulnerability to diminish by half its number occurrences. The data is extracted in an anonymous form out of the roughly 400 M vulnerability scans that run on the Qualys platform per year.
in 2009 the average number was 30 days, for last year we saw some improvement cross industry at least for such high profile targets as Internet Explorer we are now down to 17 days.
Good progress but still far from the goal of getting patching down into the under 7 day range.
Stay tuned for more updates.