I completely agree with you. A complete and mature program should be patching all endpoints and systems. But, don’t think you need complete patching coverage to have an effective patching program. If your program doesn’t or can’t have complete patching coverage or your team and resources are better utilized on other projects, it’s important to be able to properly prioritize patches using adversary intelligence and not CVSS scores or other impact metrics.