Configuration management is a many-headed beast, but the biggest beast with the sharpest teeth is the patch monster.  Every day, a new vulnerability, a new patch – and an old decision:  patch and maybe break something (I’m looking at you, Spectre and Meltdown), or stay online and be vulnerable.  This model – “panic patching” -- is in wide practice, but not sustainable.  For now, an efficient and reliable system is essential; for the long term, we need an entirely new model.