@AC: Most vulns are mitigatable, and AV software is worse
Microsoft seems to have this habit of calling patches in user-level code "Critical" because too many idiots use said code while logged on to Windows with full admin. Running the same unpatched code as a non-admin reduces the threat a vuln presents to "Negligible."
By comparison, an "Important" vuln that permits privilege escalation is "Critical" to me.
I don't worry about these kinds of vulns. Hell, if I had my way, I'd approve updates only once every six months, and I do. Machines under my care can't run unauthorized code. And yes, I check. This leaves Java and Flash, and while Flash isn't as picky about security, IE7 is regarding plugin behaviour, and Java's even more so.
Contrast to typical anti-virus software. This requires patching once every single day, and in Sophos' case they're demanding you apply patches once every hour. And AV will fail to catch a new piece of malware unless you do this. And yes, I call this patching.
I trust Microsoft over Symantec any day. At least with MS I'm paying once every five years for a new OS, compared to paying Symantec every year for the same old AV.
Now if only I could write an automated bot to post to El Reg's Patch Tuesday articles each month...