A Large-Scale Empirical Study of Security Patches