Alan Shimel has an interesting post about the evolution of vulnerability management.

Alan says:

 "The scanning and patching game is to some extent like chasing your tail.  You never quite win.  Better to be proactive with configuration management.  Is patching the right way?  With so many vulnerabilities and patches constantly flooding us, is their another way?"

You can never win nor there is a way (may be one day there is if some one comes up with mutating software that can fix vulnerability by itself when someone tries to exploit). Winning is not the end goal, but mitigating the business risk is. You can't  mitigate all the vulnerabilities floating around just because they are vulnerabilities. You need mitigate vulnerability not only based on the risk profile of vulnerability context but also based on the risk profile of business context. VM solution that understands the context of the vulnerability will stand out. 

There are several IT managers who believe that buying more security software and security appliance can get them more security.  Each additional appliance and/or software can introduce additional vulnerabilities.

Imagine that you had a simple firewall architecture and at some point, for the sake of high availability you decide to migrate to a hybrid firewall architecture. What if you leave the SNMP ports on the external firewall interface enabled? This can be a potential attack vector for hackers.

The point I am trying to emphasize is: It is not about the count of security appliance and/or security software that you have, it is about how securely these individual components are configured.

If you are a IT manager, it is a good idea  to re-visit your security appliance and security software to ensure that they are configured the right way as per the best practices.

Lastly, as a food for thought which is good for your thought: How are these components configured collectively?