There are no shortage of stories where someone delayed patching and then a vulnerability was exploited.
DBAs of a certain age will remember the SQL Slammer worm. The buffer overflow exploit caused worldwide internet disruption and affected internal networks as well. Sadly, a patch was released several months earlier and included in the latest SQL 2000 service pack but it was not applied to many installations.