As you all know, KnowBe4 frequently promotes security awareness training and we also mention that unpatched software is a distant number two issue after social engineering.
We generally say that unpatched software is involved in 20%-40% of successful exploits. It's been hard though to get good figures on that for years and even CISA has not published hard numbers, even though they appear to focus on it. They have definitely seen an increase of successful attacks against unpatched software and firmware...but at what overall percentage?
Unpatched software is responsible for 33% of successful attacks
Well, this article (https://www.action1.com/patching-insights-from-kevin-mandia-of-mandiant/ ) states that Kevin Mandia (who created Mandiant, which sold to Google recently) says unpatched software is responsible for 33% of successful attacks. Mandia is a true veteran, and we greatly trust anything he says. Social engineering is likely involved in 70% to 90% of successful attacks, as a comparison.