This is always a debating topic during audit or security assessment.
Auditor: your control system lacks of the latest security patches installed and vulnerable to cyber attack
Asset owner: security patches must be certified by OEM or else OEM will not be responsible for failure or damages due to non-certified changes made to the control system
Whether patches are up to date isn’t the key issue. The bottom line is to understand if there is repeatable mechanism to manage security vulnerabilities. After all, having all latest patches deployed doesn’t mean the control system is secure while any missing patches doesn’t mean control system is immediately at risk.
The motto from VX Heaven gives a good inspiration: “Viruses don’t harm, ignorance does!”