A done last week, after Microsoft shipped this month's 13 updates, showed 10 patches from 2009. In other words, none of the 35 vulnerabilities patched thus far in 2010 made nCircle's top 10.

That's because one of the factors nCircle uses to calculate the index is the length of time since a patch was issued. "The longer a vulnerability is known, the more likely that exploit code is available," said Storms. Other criteria used to create a given patch's priority include the class of the underlying vulnerability -- bugs that can be used to hijack a system get a higher number than those that cannot, for example -- and what nCircle describes as the vulnerability's "skill set."

"That's how easy our researchers think the vulnerability is to exploit," said Storms.

nCircle researchers evaluate each vulnerability and patch to determine the class and skill set components to the final index value. "Every single CVE gets a human eye," said Storms, talking about the Common Vulnerabilities and Exposures identifier each security bug is assigned by the patching vendor.

The free priority index uses a scoring system that will be unfamiliar to people used to Microsoft's four-step rankings of critical through low: "We don't stop at 10," said Storms. There's no upper range."