The Cost of Maintaining the System
Very few systems, hardware or software, can be installed and then ignored. Most require either a metaphorical or a literal change of oil periodically. In the case of software, the most common form is to install updates from the supplier.
Most updates are tested thoroughly before release. Unfortunately, it is impossible to test every possible combination of hardware and software that might cause problems, and so some additional testing is often needed in-house. This often means that a spare system is needed, with the same configuration as the deployed version, for testing.
Security updates are a more careful balancing act. In many cases, the vulnerability may be published before the patch, making the system vulnerable. Even if it isn’t, then it is fairly common for crackers to reverse-engineer the patch to determine the vulnerability.
The patch release schedule is also an important factor. If patches are released on a regular schedule, it easier to plan for their installation, which can reduce costs.
If a product has a poor security record, then your administration staff is likely to implement stop-gap measures between the publication of vulnerability and the deployment of a tested patch.