Re: Architectural issues as well?
A combination of architecture and policies could absolutely enable a company to patch many, if not most, critical vulnerabilities in very little time.
To illustrate, I was able to patch for Heartbleed and POODLE in less than a day because a) the right architecture was in place (F5 BIG-IPs front-ending all public-facing entry points) and b) the execs had my back and supported the right policies.
To contrast, my bank (one of the top-three in size in the USA) took almost a year to patch some of these high-sev vulnerabilities.
By the way, let's stop calling F5 BIG-IPs "load balancers" - they're Application Delivery Controllers (ADCs). Balancing the load is but one of many of its features. Why is this important? F5-gear is expensive and there are plenty of lower cost (or even 'free') load balancers out there. Why pay for F5 LBs if you can use AWS ELBs for 'free'...? Execs, PMs, Business Units, and Developers usually don't know the difference and have no idea what functionality they're giving up...