Do you have any experience with complex systems where a security patch could possibly take more than three months to implement?

He might have or not but I have. Not as complex but similar mission critical and distributed. 90 days is nothing as outlined.

Once you go life or death situations, regulatory environment applies, backward compatability matters, ... Everything takes endless. It is not code, commit, test and deploy. Intake, Risk Analysis, project planning, approvals, alignments, etc. So many more processes. We should not fool ourselves that other platforms are better in that once you go for serious SLAs. Linux Kernel or user land patch might be fast, but RedHat delivery will take longer.

Welcome to Enterprise development.

Very very little of enterprise is life or death, and windows is not suitable for life or death.

When enterprise just falls on its face, I don't have much sympathy. "So many more processes" sounds like taking a handful of steps, splitting them up, and making each one require multiple days of memos back and forth. Can you provide any justification for this? Am I misreading?

>>Welcome to Enterprise development.

That is assuming whoever you are replying to is foreign to enterprises.

In that case - if you are not - congrats! Seems like you ended up in well organized places :)

I have that experience. Security patches take a long time. You need to ensure that mission critical operations are not impacted, that the private builds which had been supplied to customers are not impacted, that documentation gets updated, that laws and regulations are followed across the world and in specific regulated verticals, etc. Then customers need time to review the patches and follow through on their schedule of updating their devices.