Hello anonymous userWheat-6808, our compliance documentation in the services trust portal is where you can find this information. You can download the Microsoft Azure Security Fundamentals and Cloud Services Assessment Report 2020 - Annex A - ISM Control Findings which details the patching controls mapped to ISM controls
Microsoft's Azure services use CVSS 3.0 to assign vulnerability severity. Low, Moderate, and High/Critical are the three severity ratings used. As a minimum, baseline technologies must be pathed in a 30-day cycle. High and critical vulnerabilities are addressed in an Emergency Out of Band Cloud Critical process where mitigating action is taken prior to the application of final patches and fixes.