I work in Support at a hosting company, and from even a cursory glance at CommuniTech's Cobalt RaQ FAQ, it's apparent that, once the box is released to the customer, it's his responsibility to install security patches. The document basically states that the customer is free to do whatever he wants, such as perform "Operating system and software upgrades" or "telnet in and delete system configuration files or modify these files so as to make them non-operational". In a case where the customer is given root access, no hosting company should be held responsible for anything software-related. I wholeheartedly agree with charging a fee for applying the patches, as long as the patches in question weren't available at the time of the original server build.
On the flip side of that, my company also offers "managed" hosting, in which we are entirely responsible for everything on the box except the customer's web content. It's up to the sysadmins to decide what security patches to apply, and when. The admins once grudgingly applied ALL available M$ (in)security patches to a managed NT server, due to the demands of a know-it-all customer. Quite a few things broke...
Slashdot Mirror
On the flip side of that, my company also offers "managed" hosting, in which we are entirely responsible for everything on the box except the customer's web content. It's up to the sysadmins to decide what security patches to apply, and when. The admins once grudgingly applied ALL available M$ (in)security patches to a managed NT server, due to the demands of a know-it-all customer. Quite a few things broke...