Re: Puppet Enterprise ..
Puppet would be great for deployment and patching automation...but how do you do the inventory collection, automated vulnerability detection and patch level awareness? While I believe Puppet Enterprise may in fact be the best tool available for deployment and configuration management, additional tools would be required to meet all requirements.
That said, I disagree with the assessment hat a single, unified tool exists which could properly accomplish the aims of vulnerability assement, patch level awareness, patch deployment and configuration management. Several try – Altiris, System Center, Kace, etc – but they all fall short in some way.
At current, for an organisation such as the IRS, I would be forced to recommend using a collection of "best for purpose tools" combined with a political approach of "leaning on the vendors" to ensure better integration. You'll find organisations like PuppetLabs or Zenoss (who you might want for root cause analysis monitoring for outages) to be extremely open to working with enterprises to add functionality.
Where I see issues are with ISVs. Gods only know what the IRS is actually running for software. What applications out there are aware of those myriad software bundles? What applications can sense patch level, scan for vulnerabilities and so forth across such a wide array of tech estate?
Regardless of your vendor – tier 1 or startup – the breadth of deployed software is going to be an issue with regards to monitoring, vulnerability scanning and patch level awareness. I wish we had good solutions to this as an industry. As yet, I haven't found any that don't end up with the end user writing some module or plug-in to support $esoteric_app.
IT at that level is not easy, and there are no pat solutions.