Found this great letter recently from MetalToad to explain to Drupal clients the important of updating security and software patches and updates. I will often tell clients that we will need to do security patches approximately every 6 months, yet some choose to pass on the service. Updates can sound unnecessary, but when your site rolls to a halt with software errors, or worse - is hacked from a security breach, that pesky 1 hour update seems like a darn good idea. Here's the read...
Dear Drupal Client,
There was a significant security flaw identified in the version of Drupal your site is running that was fixed in a security patch that was released released on Drupal.org May 25. We're currently recommending implementing this ASAP patch to avoid any issues.
Since this represents a significant danger to the data on your site and machines within our hosting environment we are considering this update to be mandatory. Please let us know if you will be able to schedule a software update within the next few weeks yourself, or we can implement the patch on a time and materials basis.
We're currently estimating this task as a 1 hour line-item billed at your normal hourly rate, however should complications arise it's possible that it could take more time. There should be no downtime associated with the patch, but you may wish you review the site for possible issues/changes. If you need us to address any issues, they will be addressed on a T&M basis.
I feel strongly that this update should be viewed as a showcases the value of Drupal and Open Source projects. If your site were not built using Drupal, it's likely that this issue would have gone undetected and could have resulted in significant financial cost. The recent high profile Sony Playstation Network security breach being a potent example of what can go wrong.
Thank you for your understanding and continuing business! Please feel free to contact me should you have any questions.
Here's a link to the official announcement: