In my spanish (worldwide scope?) University we hadn't any security patching policy and Bugtraq and some dark repositories were our main "security information source". Result was security delegation. We hadn't security staff so we had to delegate security on software providers getting in troubles when a vulnerability was disclosed.
Our internal process was derived from Sun's security patching policy, a horrible policy where you had to fight with very low level details. You only had a Sun's web resource, a spreadsheet and a tarball containing a workaround (or a patch weeks/months later when the fix would come out!).
Nowadays, Sun has a better patching process, an agile and "transparent" process. It deals with the old (legacy) tools but the process is different. To a great extent OpenSolaris plays a crucial role here. With OpenSolaris Sun got a very motivated community reporting and testing general bugs and, of course, security bugs.
Sun changed its low level approach too, looking at Cisco and some Antivirus companies and forgetting tarballs. They came up with IDR's (a form of interim fix packaged up into a patch). In this way they get delivering diagnostic binaries to customers to help solve their issues quickly. IDR's show up in 'patchadd -p' and also block any patches from being installed on top of them.
With the recent SunOS's telnetd vulnerability you can see a lot of people diffing the vulnerability and coding exploits, IDS signatures, etc. but in addition to mentioning those details I'd like to point out the time window for getting the IDR patches turned into ISR patches (Interim Security Relief) and getting them published. It's gone from months to hours for a fully tested and supported patch. Congratulations!