A big problem for security in software is that users have learned over the years that upgrading software is painful. Trying to click through dozens of settings and configurations, to then have to stop what you’re doing for an operating system restart has had the outcome of making upgrades a nuisance for most users. They avoid it.
In recent years, I’ve found that web-based upgrades have become less and less painful. WordPress, for example, is incredibly easy to upgrade these days. At first the single Subversion update command was a big improvement over the 5-7 step process. Now, it’s a single-click from your WordPress dashboard to upgrade, from downloading the update to installing it and running any necessary upgrade routines.
One-click. That’s how it should be. When you get one-click upgrades, then it becomes the default thing to do rather than the deferred thing. This benefits everyone.
That’s why I still hate upgrading vBulletin, the forum software that is abominable to upgrade. After having to upload the new version yourself (“upload a, b and C, but not d”), you have to click through dozens of screens to actually install it. If you’ve let it lapse more than a few minor version, and you will given the pain involved in upgrading, then you’ll have to do each and every incremental upgrade, one after the other.
The most annoying thing is that there is no interaction required here. You’re essentially clicking “next” a few dozen times. You know what? Software can hide this fact and just keep plowing on until it hits an issue (in which case it can let you know) or is finished.
Yes, it’s a commercial piece of software, but that’s no excuse. There are plenty of ways of allowing an upgrade automatically, after performing a license check. OAuth, for example, could be used to make this problem go away.
Instead, we have a terrible user experience: an upgrade that needlessly takes away administrator time from doing something else. Try harder, vBulletin.