NOT PATCHED simply means that the 'vulnerability' has not been patched yet.
Should it be patched? Should someone install a fix for this? there are not standard answers: it depends by your needs.
The detect and deploy job configuration has two sections: what you like to detect (all the patches or some of them specified by one or more labels) and what you like to deploy (all the patches or some of them specified by one or more labels) and it's not required that the two sections need to be symmetrical.
You may decide to Detect for all the patches and deploy only the OS critical ones for example.
There is even another problem: let's say that you have a deploy and detect job that detects all the patches and installs all of them: you need to consider that not all the remediation content is immediately available on the K1000 (and/or eventually configured replication shares).
In a standard configuration the K1000 downloads every night only the signature of the patches and every 30 minutes the remediation content for the patches detect by detection jobs.
So it may happen that you detect on a device the need for 140 patches but in the database you have only the remediation content for 40 of them.
What happens to the other 100? They're not installed because the remediation content is momentarily missing, they are added to a ''patch content wish list'' that is processed every 30 minutes.
I hope this sheds a bit of light on the process ;-)
Marco - StockTrader