Yes to patching, but companies need to finally embrace zero-trust