Security Think Tank: Ad hoc patching is inadequate

How should organisations address the need to keep software up to date with security patches without it costing too much or being too labour intensive?