As one of my coworkers like to paraphrase "nothing ever gets safer until somebody dies."
I believe the same is true for any monitoring system. A number of different metrics may go unmonitored until somebody deems it necessary to keep track of.
We've had a number of instances in our environment, for both network and server teams, that something happened because we did not know about it. Most of those were because we did not deem the relevant metrics important enough to monitor or we did not have thresholds and alerts configured. Luckily all those situations ended with nobody being fired and we add another metric to be monitored.
As for patching servers and workstations, I cannot comment as I have no role in doing so.
As for patching firewalls and switches, this is where or InfoSec department does us a huge favor. They keep track of vulnerability alerts and let us know when there is one that is applicable to our hardware. We review and respond whether the specified bug impacts our operation. If so then they provide the necessary arguments to our change review committee when we want to upgrade firmware.