Why is a 14-month-old patched Microsoft vulnerability still being exploited?

http://sophosnews.files.wordpress.com/2012/02/cumulative_numbers.png

The media - and indeed many parts of the security industry - just looove zero-day exploits. They are exciting to report, to research, to block...but interestingly, SophosLabs sees much more malware exploiting patched vulnerabilities.

I know - it's a bit weird. Why would malware authors bother to target a vulnerability for which a patch is already available for download...for free? Surely, it would be a lost cause, a dud, a lemon, a non-starter.

Alas, many people - and companies - don't get around to patching. And I just don't get why. If i cut myself, i put a plaster on it so I don't bleed all over the place. A no-brainer. Isn't patching security vulnerabilities in the same boat?