SAP patching is essential but time-consuming, and for it to be done correctly, it should be a manual process. While this might be frustratingly slow, it’s the right approach because applying patches can often have an impact on the entire landscape.
Many organizations I have spoken with, have had poor experiences from deploying patches directly into their production environments. With “direct” I mean, without testing the affected function. So, what can happen is that a (security) patch damages or disables an essential business function, which can lead to disruption. Disruption essentially leads to loss. In many cases, the potential loss by far outweighs the cost of applying security. On a side note; this principle also applies to the preventive measures to secure an environment against cyberattacks.