Slow And Painful
I am not surprised at the results of this survery; anyone that has had any work in this area should know about some of these issues.
The software gets loaded, the systems setup; and then the consultants start making changes. The instant that anyone then tries to do a patch, it all goes horribly wrong. This is made worse because so many of the consultants do not document their work, so no-one knows what has been done, by whom, when, where or how. As the AC above highlights, it then gets to the stage where the business just won't accept the risk and bans further updates.
For anyone that has had to work with SAP admin, the way that they provide support, updates, downloads etc is not the easiest to work with. Even once you have learned to navigate the support portal, it can take a lot of time to identify what you actually need. SAPnotes are supposed to make the information availbale, but in most cases they just seem to make the situation even more confusing; many times I've had to read my way through a dozen or more, just to try to understand what the proposed solution is meant to be.
I'd also highlight I've also seen that many consultants insist on implementing connections from the client to their own business; and these connections are generally very poorly managed. Consultants sharing connections, IDs, using SAP_ALL and advising clients to work the same way; I'm surprised that there aren't more issues (there may well be, but they just keep schtum about them.)
A number of consultancies have been agressively marketing their hosting facilties, in which they promise to do all the managment (for a fee). But in fact, all they do is run the SAP EarlyWatch reports and then suggest that the client's staff should be doing patching etc. even though the client has got rid of the staff that would have done the work because they outsourced to the consultancy.
But to my mind the worst of all is that so many consultancies promote themselves as experts to their clients, but then offer really poor advice, then blame it on the client when it doesn't work. When you get good consultants (and they are out there) they do a good job. But there are just too many out there that I wouldn't even allow on site, let alone touch the software.
For reference, I have worked on sevral SAP systems and undertaken a number of their certs, including the security & GRC.