As a practitioner, I find this hard to argue with and somewhat obvious, since the preceding 10 years have largely been about how hard it is to get critical patches adopted in opt-in schemes.