* , a one-fix update in March 2008 for a bug in Outlook, Microsoft's mail client, that could be exploited by tricking a user into visiting a malicious Web site.

* MS08-021, a two-patch update released in April 2008 for , or graphics device interface, a frequently-fixed core component of the operating system.

Even as late as this year, MS08-021 had not been applied to 20% of the PCs that Qualys scanned. The percentage of machines lacking the MS08-015 update, on the other hand, dipped at times to about 5%.

"It's difficult to say why they haven't been patched," said Wolfgang Kandek, Qualys' chief technology officer. Kandek presented his findings at the RSA security conference in San Francisco. "It just baffles me. Some administrators are just doing their worst possible job patching."

Qualys' scans are conducted on machines owned by its clients, which are exclusively businesses -- predominantly large companies.