Many enterprises struggle to apply security patches in time to remove the risk of security breaches. Delays can be attributed to technical dependencies, outdated asset inventories, and issues of scale. Governments have started pursuing a strategy of mandating through regulation the patching of a highly selective set of severe vulnerabilities under very strict deadlines. We worked with a large organization to examine the patching timelines under these regulatory deadlines. We analyze patching ticket-system entries for 81 security advisories over seven years, covering 944 CVEs. We complement this with nine interviews with professionals involved in managing patches. We find that 40.2% of advisories required patching action, with a median completion time of 13.2 days; advisories that do not end in requiring a patch have a median of 1.4 days. Completing the patching process in 48 hours – a recommended industry best practice – is achieved in just 16.2% of the cases. For the deadline of one week, under the Dutch BIO regulation, patching is achieved in 32.4% of the cases, while the performance against the typical CISA KEV deadlines is a bit more hopeful: 56.8% is patched in two weeks and 62.2% in three weeks. We find that some variance in delays can be explained by coordination effort, as measured by the number of involved teams and people. Overall, the strategy of regulatory deadlines for a highly selective set of priority vulnerabilities is associated with much faster enterprise patching. The deadlines are routinely missed, yet they need to trade off realism versus exposure. The three-week KEV deadline is more feasible than the 48-hour one, yet it also leaves open a longer exposure window for exploitation.