“Patch First and Ask Questions Later”

There seems to be a school of thought that says the lesson to be learned from MS05-039 is “patch faster”. Dont stop, dont think, dont consider. Just patch. They say fixing the result of patching is easier than fixing the result of the virus getting in.
If you’re on a treadmill and someone starts hitting you with a baseball bat, the solution isn’t ‘run faster’. It may be time to look for a different solution. How many people got hit with MS05-039 who were running with personal firewalls on all systems? How many people got hit with MS05-039 who were running Host Based Intrusion Prevention systems got hit? How many people who locked down their computers got hit?
Patch faster they say, the real problem was with Configuration Management “bureaucracy”.
Is computer security a science or an art? Is it your gut feeling that gets you to know you need to patch quickly? Is it rumors from SANS? Is it the result of a rational risk assessment? Is there too much gut checking and not enough Risk=Threat x Vulnerability?