More than half of the Internet-connected devices using OpenSSL remain vulnerable to the Heartbleed vulnerability, according to a Cisco security report released Tuesday.

The report identifies routine patches and updates as a major area of improvement for network security, finding that 56 percent of connected OpenSSL devices are running versions of the transport security protocol that are at least 50 months old.

The Heartbleed vulnerability was introduced into OpenSSL code in a 2011 release and wasn't found until April. A patch was introduced quickly — but of course, it's up to users to apply it.

"The proliferation of outdated versions of exploitable software will continue to lead to security issues of great magnitude," the Cisco report notes. A survey of enterprise security professionals included in the report found that less than 40 percent reported using patches and configuration as security threat defenses last year.

"Attackers are not bound by policy and rules of engagement, so there's a gap there they leverage," says Jason Brvenik, principal engineer for Cisco's security business group.

Other bad news from the report includes a 250 percent increase in spam volume from January to November of 2014.

Spam can be most dangerous to enterprises in the form of spear phishing, or targeted campaigns to compromise an employee's device or credentials in order to gain access to the company network. Brvenik tells us that one such campaign involved at least 95 iterations on messaging and design, evidence that the attackers were observing and testing for performance.

"There was clearly a business metric being applied to drive up the success rate," Brvenik says of the attack. "To talk about it in terms of business metrics seems odd at times, but that term is very much accurate and relevant to what they're doing."