Organizations are routinely compromised through unpatched applications, many of which have had patches available for more than a year.
How does it work?
Attackers tend to use publically available exploits, which means they only need to worry about delivery mechanisms. While most public exploits have patches available, organizations aren't patching as they should.
Should I be worried?
It is hard to find an organization that isn't affected by patch management failures. This should be the highest priority because patches address the root cause of security holes.
How can I prevent it?
Most obviously, enterprises should deploy patches as soon as they become available. Further, they should limit administrator privileges to a small number of people to prevent rogue application installation. Admins should also consider deploying a vulnerability management solution to scan networks for unpatched software.