Maybe you are right - but I never yet saw any non-trivial sofware that wasn't broke and stayed that way for a significant amount of time (it ended up broke either because it had real bugs or because it had security problems or because new requirements had come or because the users didn't like it or because teh requirement specification was broke in the first place). And don't forget that a security flaw for which there are no exploits may leave the software looking as if it ain't broke, but when someone produces an exploit it will suddenly become obviously very broke indeed, so it's best to fix before that happens - so you have down time to apply and check patches even when the system ain't broke.