The issue with most organizations isn't Insufficient Patching but rather Weak/Breached Password. However this doesn't mean that there aren't patching issues out there. It can range from out of date software to something more significant like RCE on an application or system.
Check the versions of applications and software you come across in the engagement to make sure they're all up to date
Example 1
Vulnerable server hosting Netscale
Scanner flagging as vulnerable
More evidence and Remediation
Example 2
Simple PHP server that is out of date. In risk section CYA language is used
