http://www.zdnet.com.au/news/security/soa/Oracle_no_longer_a_bastion_of_security_Gartner/0,2000061744,39234277,00.htm

I guess I now know why Oracle customers aren't up in arms over the lack of fixing security holes. Even when Oracle does get around to issuing patches it seems that admins aren't applying them. "...Oracle has historically been seen as having very strong security and many of Oracle's products are located "deep within the enterprise", administrators often neglect their patching duties..."