Part of the complexity in any patch process for any complex software system - be it a system of drivers, dlls and exes (like an OS or .NET (Framework + Runtime)) - has to with non-composable system dependencies. It's easy (and perhaps fair) to think that .NET is too hard to patch, but the question is: what's being patched and how does the thing being fixed impact the rest of the system (or what are the side effects of the patch)?
Operating systems and Frameworks are not yet truly composable systems (I don't know if they ever will be...). Until the time comes when you can replace any component in a system of components without impacting any other piece of the system, there are chances that a patch will do its job (fix a security hole or some other critical issue) with unintended side effects. All the testing in the world sometimes doesn't find the little bug inside the mushroom under the leaf next to the other leaf in the pile of leaves next to the tree in a stand of related trees in a forest.
We've been talking about this basic truth in complex software systems for quite a long time here on Channel 9. Come on, man. Pay attention!