Sorry, but its a traditional part of the product model for telecommunications equipment. PBX's, routers, pretty much everything - support contract required. Sure, you could have it a different way, but you would have to be willing to pay significantly more up front to pay for
that
ongoing support.
What ongoing support, just put the fixes on an ftp site. Cisco's problem is they aren't patches, they are full versions. If they created an exe file that attached via tcp/ip to the router and just changed the bits that needed changing instead of requiring a whole new build be loaded it wouldn't be such an issue to just leave the patches out there on cisco.com so anyone with a router could get them without costing cisco anything but a bit of bandwidth. Look, it's up to Cisco how they do this but if DHS wants this country's infrastructure to be secure then Cisco is going to need to realize that a whole lot of people are not going to be willing to pay to fix product defects and they're not going to be willing to spend days trying to get those fixes for free. Perhaps after a few router worms it will make more sense. Oh and I don't know about you but if I buy a PBX and a flaw in it allows any remote caller to make outbound calls at my expense, you can bet money that I'm going to expect a flaw like that to be fixed free of charge, contract or not. Geo.