How do you know that IT pros are less likely to implement a workaround than hackers are to exploit it?
How prevalent is deploying workarounds and mitigations versus deploying patches? I don't know of any research in this area; it would be very interesting to know.
Based on history. There have been several known exploits that have been exploited where a Windows Update patch has been available for months, and admins didn't update.
Now, take it a step further and now you have an exploit where is no Windows Update package, but each server has to be manually updated following a procedure from a webpage.
This is a no-brainer to me. Of course if you're looking for double-blind randomized control studies to prove this, well I'm afraid you're in the wrong field.
How prevalent is deploying workarounds and mitigations versus deploying patches? I don't know of any research in this area; it would be very interesting to know.