Assuming the customer will be buying a solution, I would say there are a number of usable solutions for Windows environments -- I wouldn't necessarily recommend sticking with a Microsoft solution. On the free side, though, I would say Microsoft's combination of MBSA and WUS would be one of the better free solutions.
Regarding finding more holes - vulnerability scanning tools will tend to find more overall security issues than patch management tools. Vuln scanners will be looking for things like password policy, unnecessary services enabled, file permissions (i.e. vulnerabilities that are unrelated to patching). On the other hand, patch management tools (as you would expect) will tend to focus on missing patches.
Dig deeper on Patches, alerts and critical updates
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.