If security is not applied, it can't work. Which means if a piece of technology gets a security patch and that patch isn't applied, the user is at risk.

While that might seem like obvious common sense wisdom, a new study from Duo Security found that more than half of some two million devices were running out-of-date software.

The out-of-date components included old operating systems, browsers and plug-ins, said Mike Hanley, head of R&D at Duo Security. The out-of-date devices access corporate applications, exposing not just the user but the entire enterprise to risk.

Duo Security, a cloud-based secure access provider, collected the data from its own customer base.

"The two million devices we saw are devices used by our customer's employees to access one or more enterprise applications," Ash Devata, vice president of Product at Duo, told eSecurityPlanet.

The Duo research found that 80 percent of the devices scanned were using Flash, while 32 percent of employees were running older unpatched versions of Microsoft's Internet Explorer. In addition, 22 percent of the scanned devices were running outdated versions of Java.

Similarly, Hewlett Packard Enterprise's Cyber Risk Report 2016 found attackers favor vulnerabilities that are at least a year old and are increasingly targeting applications rather than servers or operating systems. Three-quarters of mobile apps scanned by HPE had at least one vulnerability that HDE considered severe.

Most organizations surveyed by Duo also claimed they lacked proper visibility into the software patch levels running on end-point devices. A traditional mobile device management (MDM) solution doesn't provide full visibility into patch levels unless a user has fully opted into an agent-based enrollment for application access, Devata said.

To help solve the issue, Duo Security this week is announcing new capabilities on its Duo Platform Edition, to help enhance visibility. The platform includes two-factor authentication elements as well as policy-based access control.

The platform alerts users running outdated pieces of software, based on security policies. The promise of the platform is that it can enable the identification of outdated software without requiring the end-user to install a software agent. For Web browsers, Duo attains visibility by parsing browser header information that is already embedded in the data stream.

Duo's platform has an app that enables access to the platform's security features, including two-factor authentication. The Duo app does a system call at the operating system level to understand the configuration of a given device.

"There is a lot of noise in the market about threat intelligence and zero day attacks, among other crazy stuff," Devata said. "Our view is that if you do some basic things well, you can reduce the risk significantly."

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.