The thing is most IT departments aren’t staffed to cope with the bursty nature of proper patch testing. Where I work we deploy to a few test environment PCs but they only run some of the core apps (we can’t afford to run every single prod app in the test environment, as I doubt many businesses can). Once the basic testing has been done it’s pushed into live to a select set of PCs, if no issues are reported it’s pushed to the remaining several thousand PCs, there’s only time to do this quarterly and allow for a sufficient amount of testing (along with all the other work going on). Even then it’s impossible to test everything (hundreds of apps and some functions are only run monthly or annually).
I’m not making excuses for the IT departments out there that still can’t be bothered to patch routinely but the general perception from the public of this being the case with anyone that suffers an outbreak from malware where a patch already exists isn’t correct.