Patch some test systems within 24hrs, within 48hrs a large production sample, then everything.
I first heard of patching in single digit days from Paul Griffiths in 2011 [https://blog.qualys.com/securitylabs/2011/04/26/good-software-hygiene-is-effective-in-combat-of-malware-driven-data-breaches].
Now I’ve come across someone else who says patch first, rollback later: Sébastien Mériot. He says OVH have a strict policy to “apply patches and updates immediately when they are published on all their machines.” [https://www.ovh.com/fr/blog/wannacry-ransomware-sechez-vos-larmes-mais-restez-prudents/]
Perhaps now, with DevSecOps, everyone can make the leap – and everyone will be working for the Information Security Dept. [Image Credit: drawn live by ‘Fix’ during Orange CyberDefense#Live 2018]