He may still be a security expert, but not-so-expert in logic deductions. 🙂

When evaluating the security of a system/framework, one item in the “checklist” is checking for the existence of periodical software/security updates.
I’ve always argued against such ultimate “checklists”, or even close to them. All these attempts to associate some ISO-like security tags with a system are flawed in their basis and make me sick. It’s like summarizing the entire contents of a religion X in a few bullets and claiming that they are the entire X.
I vaguely remember some old comparison of the security various systems, in which Microsoft Windows won one of the top places, mostly due to that weird item — they maintain periodical (weekly!) updates to their software.