Some businesses lack any form of security (in it's widest sense) due to ignorance.
Some are of the opinion, they will patch when someone gets the time to sort it out; of course, that time never arrives.
Some however, are keen to operate in as secure environment as possible, BUT, have bespoke software that is often mission critical and therefore, patches have to be thoroughly tested prior to roll-out. Sometimes, the patches "break" other software, so although in principal they would like to secure the system, the problems outweigh the advantages, and systems remain vulnerable.
It is noticeable that IBM, surly one of the largest IT companies in existence, refrained from introducing SP2 to XP, precisely because they wanted to thoroughly test it first with their other software.
So, Yes. Some companies need a good kick, but for others, it is a far more complex affair.