What grace period should you give enterprise connected devices to update?

iOS 9.3.3 came out earlier in the week and with it 43 CVE’s were patched. This is a big number for a minor patch. My questions is how long do you give your employees with enterprise connected devices to update to the latest before marking them as non compliant in your chosen EMM platform? A day, a week, a month. How long is too long before the known (and now documented) CVE is weaponised and becomes a real risk?
Interested to hear your thoughts.