1) As has been pointed out on numerous security lists, many of the big name vendors have problems with bugs and security. The list of Oracle bugs fixed in this latest release is some 82 in number. Some of those vulnerabilities have existed for years. As a matter of fact, David Litchfield called them out on this fact. Also, he pointed out that one of the fixes they did previously only prevented the sample exploit code he provided them. It didn't actually solve the problem. I'm not saying all this to bash Oracle but to point out as software gets more and more complex, more issues come about.

2) The WMF vulnerability is something left over in the APIs from the 3.1 days. There was a reason for some of it in the 3.1 days, not necessarily all of it, but in those days all code was essentially trusted. Having to be backward compatible in large measure does cause these sorts of things to happen. And not being backward compatible can be a death sentence. Amiga, anyone (though Commodore's poor marketing has a lot of the blame, too).

3) Microsoft was releasing hotfixes as soon as they were ready. And then they started getting complaints from sysadmins. Having to patch systems 5 or 6 times a month when no exploit code was known circulating was killing IT shops. It's one thing to patch a critical vulnerability that's being exploited. It's another thing to have a whole slew of patches to deploy. So Microsoft asked and the responses they got back led them to the once a month release. To which many, many sysadmins thanked them.