I saw this assertion go by and it stood out:
The bigger cost would be the cost of not patching. Such items as downtime will affect more staff/users than patching will.
The issue so far has been black and white.
There is a black and white difference between devices that face the internet and those that are not accessible to or from the 'Net.
But what about the "grey"? No all patches have the same criticality even for 'Net-facing devices.
And there's more to security - even of the Internet-facing devices - than patching software.