While updating software periodically fixes recently found flaws, some are so dangerous that they must be fixed immediately. When an attacker announces an important vulnerability on the Internet, overnight your organization can become vulnerable to anyone who can run a publicly available attack program. Therefore, someone in every organization should constantly monitor the most important vulnerabilities being discovered and make a decision on whether or not your organization needs to immediately react.

The easiest way to keep informed of the most recently discovered vulnerabilities is to daily check the security advisories issued by organizations such as CERT and FedCirc. These organizations post advisories on the most important vulnerabilities and how describe how to mitigate their effects or where to obtain a patch. CERT even has a mailing list so that new advisories are automatically sent to the appropriate person.

NT Bugtraq is the most influential Windows list. Internet Security Systems (ISS) maintains a very complete listing of Security lists at http://xforce.iss.net/maillists/otherlists.php

Also, NIST's ICAT Vulnerability Metabase provides an up to date listing of system software vulnerabilities. Visit ICAT regularly to monitor vulnerabilities relevant to you.

It's also a good idea to keep your eye on a few of the information security news sites. While major security flaws may make mainstream media headlines, the bulk of vulnerabilities will not.
A few examples are:
Security Focus
Security Watch
Security Portal
ICSA
For a complete list, see the CSRC Links Page.