"Patching is a difficult process for corporates. It is not something they have yet incorporated into their culture," said Campbell. Companies devoted most of their time to looking after vulnerabilities at the application layer, where most attacks occurred. Hardware vulnerabilities -- even well-known ones -- came further down the priority list, more so if they related to internal network devices seen as unrelated to security. "A vulnerability like this [PSIRT 109444] might exist for a year or more, or indefinitely," he said.

Overall, the number of vulnerabilities identified by Cisco has fallen to 45 in 2010 from a peak of 65 in 2007. According to Dimension, only 20 percent of devices looked at were vulnerable to a further four reported Cisco flaws, which suggests that this single flaw is perhaps the exception to the rule. The number of Cisco products that had passed "last day of support" had also declined year-on-year.

The findings hint at two apparently contradictory themes, that of uniformity and complexity.

The uniformity derives from the commoditization of IT equipment over the last decade, which has left companies of all sizes, in all countries and in all business sectors using similar families of products which are therefore open to the same vulnerabilities, including PSIRT 109444.

But within this apparent uniformity, complexity hides itself, often in ways companies are not fully aware of. For instance, in the 270 assessments carried out by Dimension, the average network was running 28 different versions of Cisco's router OS, IOS (Internetwork Operating System), with 11 assessments showing over 100 versions. Of the latter, Campbell said, "This speaks of a company that is not in control."