We just had a security audit.
Auditing company told us we were at risk because we were missing a bunch of "patches."
Upon inspection of the patches we are missing and they all seem to be considered Non-Security Patches or Security Tools. This makes sense because we only apply Security Patches (as categorized by Shalivk) right now.
So, what do you guys do right now? Are you patching just for Security Patches or doing Non-Security Patches and Security Tools as well? Did you pass an audit like that?