The article features comments from David Litchfield and makes a good point about regulatory requirements to apply security patches promptly. He also mentions that he will soon release a paper on problems with using OPatch, Oracles patch application tool and also its tool for verifying the patch level of a database. He goes on to discuss the problems of incomplete patches, patches that fail to fix the flaws, the problems with not running post installation procedures, problems with OPatch not updating the registry properly and a problem with rolling back patches where the patch is removed but the inventory is not updated. This leads to the situation where a database looks to be patched but in fact it is not.
This looks like it will be a very interesting paper when released. This article also starts to raise serious worries about the state of the Oracle patching process and tools.