Vendors drag their heels when it comes to identifying software vulnerabilities and are often loath to expedite the fixes.