I fail to see how Trend Micro OfficeScan can be included in here though. It can be updated via a "free update interface" like "SMS/WSUS". So then how does it fall into this category? Point 5 outlines that the application must rely on the end user to update the application. Surely Norton as well can be updated via WSUS and SMS? So can Acrobat.
And for the Java SDK, it's an SDK, obviously it's going to have vulnerabilites, it's a development tool. But I assume they are only refering to the compiled runtime environment?
Rusty raises a good point, surely it's better to patch than to have never patch before.
