This is not unexpected. Ninety percent of the "Internet" in the U.S. is privately owned as opposed to when it was born and the federal government was the owner. If businesses were taking care of business (Sarbanes Oxley anyone?) then there would be no need for the federal government to even hint at enforcing IT security.

The are a large number of NIST documents are all security related and are worth the perusal. They contain nothing draconian. But as guidelines, many business will ignore their content even if they are aware that these documents exist. Yes, Oracle and Microsoft have, in the past, issued problematic patches but I fail to see how that becomes an argument for not patching. I also fail to see the rationale for abdicating "patchiness" to a SANS Institute if the only point in their favor is that they are "private". Private yes, free no.

DBAs need to be aware of how their role fits into the overall "defense in depth" of their organization in ensuring confidentiality, integrity, and availability of corporate computing resources. Check out NIST Special Publication 800-30 and do your own risk assessment.

At the end of the day, if business doesn't take care of business, the federal government will.