Security Think Tank: Apply risk-based approach to patch management

How should organisations address the need to keep software up to date with security patches without it costing too much or being too labour intensive?