Re: Typical problem of many large organizations
This ignores the other factors in this...
Firstly, we have Apache, who reportedly fixed the vulnerability with the release of new code on 7-Mar-2017. What I found interesting was that the Apache announcement for this release contains the following:
This release addresses one potential security vulnerability:
Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser
Namely, no explicit mention of the CVE fixed in the release, making it relatively easy for a busy admin - with several dozen packages status monitor, to downgrade the update from must do to 'pending'. Which leads us to the first challenge: communicating important information to user organisations.
Secondly, we have the other problem of large interconnected IT systems. I suspect that Equifax like many organisations wasn't running the latest releases and were running a few releases behind, so fixing might require doing more than simply running a patch file and thus increase the need for design review, planning, testing etc. which in turn increases the time before the vulnerability is fixed.