Slow And Painful
"SAP users were notorious bad at updating and securing their deployments"
Probably because it's not an easy process. Most people that have never worked with SAP think that patching is just a case of running a file (or files) that just do the work and maybe re-start the server afterwards.
Within SAP, there are a large number of steps, many opportunities to screw up the in-house written apps that *have* to be used; and it also has to be tested several times before rolling it out. Plus people bitch like crazy about the time that it takes; there always seems to be yet another project underway that means it really inconvenient to do the patching this quarter.
But the biggest problem is that SAP think that "security by obscurity" is an appropriate security strategy. It's not always clear just what patches need to be applied without some careful research