Not understanding Security
Rather than concentrating on rushing out and patching code, They should concentrate on why systems are vulnerable in the first place.
Firstly. The Log4J exploit works by instructing the logging engine to make a call out to a Internet server (sometimes LDAP, but usually on another port). Why are those systems being allowed to initiate an outbound connection to basically malware C&C server in the first place? It's basic security 101 that backend server such as log engines should not have direct access to the internet or at least be controlled to what they can access.
Secondly. If you are running internet facing systems they should be protected by a decent WAF Service or Application layer firewall. When the exploit kicked of I checked the logs on our WAF and the log4J attempts were already being blocked.
Did we rush to Patch our servers? (Would have been 3 times because they took 3 attempts to correct it) No. We looked at our controls, analyzed the exploit and looked at the risk posed and deduced that the risk to our systems was minimal due to the controls in place and that the proposed workaround from the vendors was acceptable until that patching can be done at the next regular maintenance window. No need for risky, untested, knee-jerk, emergency patching.
Perhaps I'm old school, but having sensible security controls in place in the first instance is better than having to firefight the next exploit.