'Jamie Moles, senior sales engineer at ExtraHop, commented: "While Spring has moved remarkably fast on deploying a patch, this is still a customer responsibility.'
Surely, in an ideal world, the primary responsibility should rest with the framework developers to code and test adequately so the customer wouldn't need to patch so often. A very high proportion of 'vulnerabilities' result from basic coding errors at the increasingly neglected metal level. But of course that's where most of the potential for critical errors sits.
The prevalent idea that it's perfectly fine for vendors to release dangerously flawed products to customers, who are then 'responsible' for protecting themselves need to be eradicated if any significant progress is to be made in infosec. As it is, the last three or so decades have seen the overall state of infosec decline rather than improving, despite all the ostensible technical 'advances' in security provisioning.