Microsoft's entry was its Microsoft Windows SMB NTLM Authentication Credential Replay Remote Code Execution. Apple was the next major name on the list, at 390 days, for its Mac SLP v2 Service Agent (slpd) Registration Request Overflow. Others who made the dishonorable list including Novell, Sun, HP and Computer Associates. The full list is absolutely worth reviewing.
When a security problem is discovered, timely response is important. So is making sure that the patch is going to fix the problem while also--hopefully—not introducing any new issues. That process takes time, and that's OK. But someone at the Open Source Vulnerability Database took the time to see which vendor waited the longest to fix a glitch once it was discovered. No surprise: Microsoft took top honors, with an awe-inspiring 2,027 days. Yes, that's more than 5.5 years.