At the same time, almost half of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities annually, according to the research, which was released today during a keynote address at the Computer Security Institute conference in Washington. D.C.

Qualys, a Redwood Shores, Calif.-based provider of managed security services, has been conducting a study of the vulnerability and patch management strategies of its clients -- including its Fortune 500 customers -- since 2002. Each year, the company releases a synopsis of its findings that highlight key trends in both areas.

This year's findings are based on a study of more than 32 million vulnerability assessment scans within its customer base, said Gerhard Eschelbeck, chief technology officer at Qualys.

The research shows that on average, companies take about 19 days to fix 50 percent of their Internet-facing systems that might be exposed to a critical vulnerability. In contrast, last year the companies Qualys studied needed 21 days to protect half of their Internet-facing systems and 30 days to do so in 2003.

"Patching behaviors are getting pretty good," Eschelbeck said, noting that many software vendors now have scheduled patch releases rather than offering them on an ad hoc basis. "When you have pre-defined patch releases, people tend to apply patches faster than they would with irregular [schedules]."