Yeah, some saps don't have a choice.
My point though is that if you make only port 80 available through the firewall, the webserver handles connecting to the database via asp/php/jsp/whatever. The guy connecting to a web page doesn't have to connect directly to the database. The fact that so many sites were hit points to a bigger problem. Database security patches shouldn't be ignored, but if you can't see the database in the first place, there is a lot less to worry about.