Microsoft releases security updates on a regular schedule, but that doesn't tell us how long the turnaround is from a vulnerability being reported to a fix for that vulnerability being released. It could be reported today and not fixed for 10 patch cycles, it will still look like Microsoft is doing something. I think the turnaround is more relevant to the point that just how often patches are released.