"Many of the most significant breaches were caused by unpatched servers"
..patching servers have never have really been an issue in any half decent organisation, even the likes of the NHS could do it.
It's the applications on top that break because they are either badly written, maintained, implemented, tested and on and on.
How many programmes will break if you update Java, or they are dependant on a obsolete PHP that was last updated during the 2012 Olympics.
We could tear across 3000 servers and patch them right now, but now doubt a 1/3 of them will break due the outdated crap that runs on top.