¶Why people don't apply patches
I just opened Firefox and got a dialog stating that a software update to 1.5.0.5 had been downloaded and is ready to install. And, of course, I immediately groaned. Why?
Because somewhere between the last two software updates, my arrow keys and page-up/page-down started to intermittently fail. The apostrophe (') would also bring up Find when I typed it in text boxes. I use the keyboard a lot when web browsing, so for me this is REALLY ANNOYING. It got so bad that I was seriously considering switching to Internet Explorer 7 beta, but quickly squashed that idea once I found a viable workaround -- to create a New Window, close it, and click on the page. And even with this, I would still want to go back to 1.5.0.2 if it weren't for the security issues.
If you want to know why people are reluctant to patch, it's simple: patching breaks stuff. Ask anyone who tried Windows NT Service Pack 2 or 4. Nobody wants to keep using broken software, but they'll continue doing so if their workflow is disrupted every time an update is installed. The risk of regressions increases when non-critical changes are included in the patch. For instance, let's take the release notes for 1.5.0.5:
http://www.mozilla.com/firefox/releases/1.5.0.5.html
What's new: Improvements to product stability. That's good. Several security fixes -- that's really good. Added changes to Frisian locale (fy-NL)... huh? Why is this in a security update that's being delivered through the automatically-installed-and-tell-later channel? Why couldn't this have waited and is it worth the regression risk?
Now, I can't blame the Mozilla team for accidentally letting a bug through, especially since reproducibility is really bad and it's been sporadically appearing and disappearing according to Bugzilla history. Certainly, making a locale change isn't the worst abuse of a security update that I've seen -- releasing "Windows Genuine Advantage Notifications" as a critical update was a really f#*$&ing stupid idea. Still, when I am asked to download a security update, I want it to hold only security fixes, and software vendors need to recognize that patching involves risk to the user even if it does fix serious security issues.
(And before someone posts a you-should-fix-it-since-it's-open-source comment, I tried. After trawling all over the wiki to get the randomly placed build tools for Win32 that aren't in the source archive, I gave up after I got "nsidl.exe Failed -- Error 57" eight levels deep in recursive calls to "make" within a 200MB source code tree. I can't deal with a build system like that.)