Hi Danny,
I don't think I can give an unqualified answer to that. But if you have a well built ASM policy using the positive security model, that policy will block most attacks. For example, if there is an IIS exploit which depends on an attacker being able to use a % in the requested object, and you have that character disallowed in the character set for objects, the request will be marked as illegal. Likewise, if you don't explicitly allow access to .exe or .dll object types, and the newly discovered exploit depends on access to one of these object types, the attack would be blocked.
Of course, it's always a good practice to keep the servers patched as soon as practical.
Aaron