That's an absurd excuse for Ormandy. As, I'm sure Ormandy knows, IT pros are a LOT less likely to implement a workaround to this problem than are hackers likely to exploit it.
Furthermore, MS stated that the provided workaround is insufficient and easily circumvented.
And, he provides no evidence that any blackhats know about this at all.
To me this clearly looked like a way for Google to try to attack MS's security -- this goes hand in hand with their PR stunt of moving Google employees off of Windows due to security.
How do you know that IT pros are less likely to implement a workaround than hackers are to exploit it?
How prevalent is deploying workarounds and mitigations versus deploying patches? I don't know of any research in this area; it would be very interesting to know.
Based on history. There have been several known exploits that have been exploited where a Windows Update patch has been available for months, and admins didn't update.
Now, take it a step further and now you have an exploit where is no Windows Update package, but each server has to be manually updated following a procedure from a webpage.
This is a no-brainer to me. Of course if you're looking for double-blind randomized control studies to prove this, well I'm afraid you're in the wrong field.
Furthermore, MS stated that the provided workaround is insufficient and easily circumvented.
And, he provides no evidence that any blackhats know about this at all.
To me this clearly looked like a way for Google to try to attack MS's security -- this goes hand in hand with their PR stunt of moving Google employees off of Windows due to security.