"Without such insight, Oracle customers cannot develop a work-around for their production application and I find it hard to believe a company would patch critical applications without months of testing," proclaims Shulman. "This lack of transparency is outrageous behavior. Vendors expect researchers to share details with them responsibly, yet they fail to do the same with security vendors and their customers."
Stability and predictability in the update process is a good thing, but perhaps quarterly is not frequent enough for an organization like Oracle to meet the demand of vulnerability patching necessary for the range of products and technologies it has to address. There comes a point where the vulnerabilities that are left unpatched are bigger news than the flaws that are fixed, and customers are left in limbo to fend for themselves until the next update.