IT professionals are taking up to a month to patch critical security flaws, leaving organizations at high risk of cyberattacks. This is according to a new survey from Synopsys, which found that 28% of respondents take as long as three weeks to patch a critical security vulnerability, and another 20% say their organizations take up to a month.

The survey, reached out to 1,000 IT experts from the United States, the United Kingdom, France, Finland, Germany, China, Singapore, and Japan, revealed this.

According to the survey, 28% of respondents admitted to taking up to three weeks to address a critical security vulnerability, while an additional 20% confessed that their organizations often take a whole month to apply the necessary patches. The repercussions of such delays is that hackers who are quick to exploit newly discovered vulnerabilities, pose threats to organizations that lag behind in securing their systems.

There are a number of reasons for this slow patching, including a lack of resources, the complexity of modern IT systems, and the difficulty of prioritizing patches.

“There are multiple different factors involved when it comes to patching, and it’s very time consuming,” Kimm Yeo, senior solutions manager at Synopsys’ software integrity group, told Axios.

“There are a lot of vulnerabilities sitting in the backlog,” she added. “How do you know this is critical enough that you need to give it top priority, especially when there’s a lack of security experts or insights into the vulnerability itself?”

Furthermore, the survey’s findings shed light on insecure code prevalent in the modern internet, often due to the use of less secure coding languages and the tendency to prioritize production deadlines over security.

The sources for this piece include an article in Axios.