Malware typically targets vulnerabilities that were fixed a long time ago. This only works because users are not installing security updates. We set out to find out who these users are, how many of them there are, and why they aren't patching. We found that unpatched users are prevalent, that patching levels vary significantly across applications and geographic regions, and that there are several contributing factors. This talk will present our findings and propose some potential solutions for these issues.