Kristin Paget, former Apple security employee, on Apple not issuing simultaneous iOS and OS X patches for shared security vulnerabilities:
Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for weeks afterwards? You really don’t see anything wrong with this?
I’m still quite offended that the “goto fail” vulnerability was left in 10.9 for days after it was emergency-patched in iOS because, apparently, Apple felt that Mac security was unimportant enough that they could just roll it into the 10.9.2 update rather than bearing the work and costs of a separate fix released simultaneously with iOS’.
Apple’s security practices are so advanced in many areas, yet so neglectful in basics like this. Worst of all, they don’t seem to think there’s anything wrong with this.
Surely, avoiding the reputation damage they’d incur if one of these gaps was widely exploited is worth the cost of simultaneous patches.