NTLM is broken by design
I don't think there is a "comprehensive patch" possible for NTLM. It is simply not a robust authentication. Why? The "LM" itself says it -- it's from the days of Lan Manager (early or mid 1980s), NetBIOS, and so on along with the SMB (Server Message Block) file sharing and all that good stuff. It was designed to have low enough memory usage and CPU usage to run reasonably on the 4.77mhz, 8mhz, 16mhz machines of the time, and furthermore LanManager stuff assumed a closed network -- NetBIOS was not routeable. Why did Microsoft adopt it in Windows (either NTLM *or* SMB, or the NetBIOS-based name services?) I really don't know, but they did.
Anyway, there is a "simple" solution -- Kerberos. (For Windows use this is Active Directory). I'm no Microsoft fan, but they recognized NTLM's weaknesses like 15 years ago; Kerberos was designed recognizing that a lot of the login systems of the time were quite weak, it specifically does avoid capturing and reusing authentication tokens for instance. So why does NTLM still exist? Well note the quotes on "simple" -- setting up Kerberos is just not that simple, and if an environment is closed off, it may well be overkill.