Good point on the client vs. server patching. I would expect that there is very little impact on servers from the WMF vulnerability.

Regarding political costs of NOT taking action, I think that is a great point. All the fanfare can force (re)action. Meanwhile, there is Sober and the Oracle worm to consider.

In the case of WMF there seem to be plenty of anti-virus products that effectively block most known forms of exploits. There is also the issue of client versus server patching. Patching servers is far more serious and expensive than client patching (due to the impact of affecing critical servers). Roling out client patches is often fairly straightforward and even phased roll outs can be automated.

The bit that you don’t seem to address is the political cost. When an exploit (and patch) such as WMF hits the mainstream press now you are obligated to consider the backlash if you don’t appear to be doing something effective if the worst case does in fact hit. (Or even something unrelated but likely to be misconstrued such as the Sober worm activation set for January 6.)