I find security patches to be highly important. to be annoying. to be part of daily DBA life.
If I, and I alone, knew of a serious security vulnerability I'd want it patched as soon as possible. keep it quiet. report it to Oracle and wait how ever long for them to fix it.
If there was a serious security vulnerability with no patch available and public exploit code existed I wouldn't care too much. I'd want a patch as soon as possible. I'd wait for the next Critical Patch Update.
I install security patches immediately. within 3 months. within 6 months. within 1 year. more than 1 year or never.
I blame all these patches on security researchers - why can't they just leave us alone? poor code in shipped products. no-one - they just happen.