Within any IT organization, there exist processes so routine and well-established that they become practically a given—with little concern for whether such processes and practices could be improved upon. Time is money, and it’s difficult to teach an old dog new tricks, especially if the dog doesn’t see any pressing reason to change its ways—or any risks involved with deciding not to.
When it comes to kernel patching, it seems that the current widespread philosophy is “if it ain’t broke, don’t fix it”. A background activity carried out by SysAdmins without much thought, kernel patching generally isn’t even on the radar of those responsible for organizational security and compliance. However, this is a potentially ruinous oversight, as the current standard approach to kernel patching exposes servers to malicious intent by threat actors on multiple attack vectors.