One of the key activities in cybersecurity is to deploy security patches on regular basis. This is intended to upkeep cyber protection strength of the ICT or ICS infrastructure, platform and application.
Certain cybersecurity practitioners are just blindly follow text book knowledge to mandate missing patches are policy violation and need to follow exception process.
The cyber protection has undergone various strategical changes over the years: from prevention to detection and now resilience because there are a lot of unknowns to make prevention nor detection effective; from physical location centric to context-based because data are everywhere.
Bottom line is to apply patches according to the specific business environment via assessing likelihood of exploitation. If the system is isolated from the Internet with strong physical access control and removable media control, there is no urgency to deploy so-called zero-day vulnerability patch. Follow the now, next or never philosophy because some patches are not even needed like the log4j that has been over-amplified to incur FUD.