This is an interesting read – both the article and the draft provided by Microsoft – concerning patch development and an organization’s commitment to address bugs based on severity and defensive layers.  I commend Microsoft for their willingness to release this draft and seek public / industry comments.

https://threatpost.com/microsoft-reveals-which-bugs-it-wont-patch/132817/