Web defacements - keeping your system updated

The current crisis about the muhammed drawings have made Denmark a big target in the online world too. Lots of danish websites (mostly personal or generally small) have been defaced in the last few days.

From what I've read most (if not all) of the defacements were done by either taking advance of known security bugs or because of weak passwords. I think the various content management systems should get better at being secure by default. There should be some default requirements for passwords (min. 8 characters and it should include both capital and lowercase characters and numbers).

The known security bugs is a different problem. How do you make sure your CMS is updated? How do the various systems handle that problem? If you have a webserver and install [insert random CMS] on it, then it will most likely be your responsibility to patch your system when a bugfix is released since these systems don't download and install the latest security fix themselves (of course, if the CMS comes as part of your linux distribution, then it will most likely be kept updated automatically). I bet many completely ignore this issue. How can this problem be fixed? I would say the first thing is to make sure the people using a given system will be made aware of any new security issues. Maybe make a strong suggestion to the people that download it to join the security mailinglist? Next up is the actual act of updating the system when a security fix is released. I believe the critical thing here is to make it very, very easy to do. I hope there is some focus on this issue in the CMS world.