Even so, companies appear to be having less success when it comes to patching internal systems. On average, they take 48 days to patch 50 percent of the internal systems that could be exposed to a critical vulnerability. That number, while lower than the 62 days those businesses once needed, is not fast enough to mitigate the risks posed by today's fast-moving worms and viruses, Eschelbeck said.

In fact, almost 80 percent of exploits and attacks targeting new software vulnerabilities surface in the time it takes companies to patch their systems, with most of the damage being done within the first 15 days of an exploit release, he said.

The research also showed that 90 percent of the vulnerability exposure that companies face comes from just 10 percent of critical vulnerabilities at any given time. By making it a priority to find and fix just those vulnerabilities first, businesses can greatly reduce their overall exposure, Eschelbeck said.