If your system is updated, say monthly, and your firewall properly set up and maintained, the major issue becomes users.
Not disagreeing with your basic concepts here, but most systems may as well be set to update themselves daily, or even more frequently.
Of course, the ideal when you have lots of machines is to run a single machine as a yum repository for updates and have that one machine update frequently. Then all your other client machines can query that one, such that you reduce the window of vulnerability to a minimum while (and this is very important) NOT swamping the Fedora servers and mirrors with tons of requests.
I currently run about 30 machines this way, and the primary machine updates itself every four hours. All internal systems query that box every two hours. But the Fedora mirrors only see six connection requests from me per day, instead of 180. Basic download netiquette.
-- Rodolfo J. Paiz rpaiz@xxxxxxxxxxxxxx http://www.simpaticus.com
