This survey was done jointly by Oracle and the Independent Oracle Users Group and theres some downright scary stuff in it that probably won’t surprise many of you.  As you might expect, patching is not a big priority for Oracle admins, a full 11% of those surveyed have never applied a patch, and close to 50% were at least 2 cycles (6 months) out of patch.

The pdf of the rest of the survey can be found here.

Honestly, Oracle is one of the applications that we should be most concerned about.  Its just enough of a pain to setup/maintain that most people aren’t toying with it, and far too many of the installations and configurations out there are done by people with very little experience.  Which is understandable, Oracle DBAs have a lot of niche knowledge that fairly expensive to employee and if databases aren’t your business you’ll just have Bob the intern take care of it.  Combine that with pretty large patchsets every quarter that don’t seem to be applied very consistantly, and you’ve got an environment where an attacker holds all the cards.