I'd like to think that if a company doesn't have the resources to properly maintain security patches on their deployed applications, they would use some app hosting platform (like Heroku), but I suspect that there are indeed many companies who are set up like you describe.
That doesn't change the fact that relying on your OS package maintainers to properly update packages results in the same "having them leave unpatched vulnerabilities on their systems for months or even years" (at least the "months" part if Ubuntu is any indication).
This would seem to be a "damned if you do, damned if you don't" scenario.
Also, the 30 day password change thing isn't even something that's "technically correct". It's a "why do we cut the ends of the roast off" vestige from old DoD recommendations.
That doesn't change the fact that relying on your OS package maintainers to properly update packages results in the same "having them leave unpatched vulnerabilities on their systems for months or even years" (at least the "months" part if Ubuntu is any indication).
This would seem to be a "damned if you do, damned if you don't" scenario.
Also, the 30 day password change thing isn't even something that's "technically correct". It's a "why do we cut the ends of the roast off" vestige from old DoD recommendations.