Our auditors have suggested that we need to increase the frequency of which SAP security notes are applied to our systems, i.e. Hot News/Severity 1 within 30 days, Highs/Severity 2 within 60 days, etc.
I can understand the desire/need but feel that might not be the right balance between keeping the systems secure and meeting the needs of the business through enhancements much more "tangible" to them, especially given tight IT resources.
Best practice aside, I'm interested in knowing more about what others are actually doing in this regard. How often are others applying security notes depending on their severity?