Why is security patching so difficult?

If you’re only trying to monitor for one particular product, things are in fact quite simple. Say Apache for example… monitoring feeds for any vulnerabilities within their http server is quite easy. That’s well and good if I only care about that particular package/software. What happens when I want to see all operating systems that Apache can be installed on and see the same vulnerability pop up across those lists? Nothing. Nada. Zilch. Nothing like that exists — that I can find. My Google-fu is fairly strong but I’ve been bested by this. I’m tasked with this stuff at work as a manager with no background in security. Anyone have some pointers?