Brian Krebs posted an excellent article titled Internet Explorer Unsafe for 284 Days in 2006. Brian writes:
For all its touted security improvements, the release of Microsoft's new Internet Explorer 7 browser in November came too late in the year to improve the lot of IE users, who make up roughly 80 percent of the world's online community. For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. (emphasis added)
How did the competition fare?
In contrast, Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem. (emphasis added)
This is exactly the sort of security metric I like to see. There are plenty of ways one could criticize these results, perhaps by asking about the underground group in Bulgaria sitting on 92 Mozilla 0-days? (just kidding) In the real world these are the sorts of numbers that best approximate our understanding of digital vulnerability. In terms of threat, Brian writes:
Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users.
I don't know how he measures the "98 days," but that gives you an idea of the degree to which these IE vulnerabilities were being exploited and risk moved from a probability to a certainty.
Don't just measure how many of your systems are patched. Measure how long they were vulnerable. Being patched does not mean being invulnerable, when vulnerabilities exist for which no patch is available.
Once you make these measurements, act on them. Consider alternatives. Complain to the vendor. Exercise the purse strings. Don't continue to be abused.