I'm not sure that a resource issue with the development process is a good justification for delaying security patches. I do understand that other items need to be in the queue but if a companies method of prioritization is such that the number of known security issues grows while other features are getting coding then they have an issue with prioritization. If it ain't broke, don't fix it. However, if it's broke and you're finding it's more broke stop building on it until it's fixed.