Most of the time, there's no excuse for not patching servers in a timely fashion. It may be annoying, or difficult, or you may have to inconvenience your users or come in at midnight on a weekend, but you can still get them patched. Sometimes though, there are systems that are critical and that really need to be available for extended periods of time. Sometimes, you may be responsible for servers that run complex applications that require a specific OS configuration, and you just can't run the risk of applying patches or service packs, which could break the application. This is especially annoying because some service packs or components thereof can't be uninstalled. And in many cases, the device in question is really an "appliance" that gives you no access to the OS configuration, so patching is not an option.
In cases like these, there are a few things you can do to mitigate the risk of these important servers succumbing to the next worm or virus, or being unnecessarily exposed to hackers. Which option you choose will probably depend on what type of applications your server is supporting, and your budget. Most of the options fall under a general strategy of pushing "security" out in to the network, to create some sort of perimeter around the server and application.
First, the obvious: firewalls. If your application allows, you can put a firewall on your internal LAN to separate the users from the device. This is generally pretty effective.
Second: reverse proxy. Again, if the application is amenable, reverse proxies can give you a lot of control regarding how your users access the server. They're usually much more intelligent than your average port-filtering firewalls, too.
Third: Intrusion Detection Systems. Many vendors are attempting to pawn off a new buzzword "Intrusion Prevention Systems," but the truth is these systems have had the ability to recognize and stop attacks for quite some time, although they are naturally getting more sophisticated. The short of it is, in rare cases, your application may be incompatible with firewalls or proxies, but many IDS can offer protection in addition to just "detection."
Of course, there are many more technologies that can help you mitigate risk, but these three provide a good start. You can also choose to implement a combination of the above.
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.