Consider a situation in which there is a new vulnerability in openssl. you can treat this as a hypothetical question or just.. remember any of your past experiences of any of the many openssl vulns.

How many binaries on your server use the vulnerable version? If all binaries are dynamically linked you can answer this fairly trivially with a shell script to enumerate binaries, pass them to ldd, and a little grepping. If all of your binaries are statically linked what do you do? Ideally pull the build info from your build server that shows you every version of everything that went into the binary.. which is data that just doesn't exist for most people

Maybe you scan the binaries to do some kind of signature analysis... but I would not be confident in the results not having false positives and false negatives.

Now let's patch it. How quickly can you recompile every static binary on your server? Can you even easily cut new builds of these existing versions but with a small patch increment or will your dev teams just rush a new release of any changes they're working on?

or with dynamically libraries, you update the library on your server and be done with it

... or so you thought. you didn't check what processed were running with the old library still open in memory and restart them so you're still vulnerable :)