The system uses a commercial library as a core component.
An automated build and test pipeline for the system is in place. This is available for all developers within their development environment.

This commercial library gets regular security updates every month.
In some cases (e.g. zero day exploits) additional updates are delivered from the vendor. The product owner requires that these updates are incorporated with only limited manual effort.

An update of this library must be possible with a maximum time budget of less than 2 developer-hours on average.
The cost of automation (build and test) is not considered, as these are already available.