The method used here to determine whether a site is patched can't detect manual patching, it can only detect a full upgrade to Drupal Core. And even then it can only do that if the CHANGELOG.txt is left in the root folder, which some people explicitly remove.
The patch for the security flaw was just a single line of code, manually patching is rather easy in this case.
This test demonstrates that at least 42.5% of sites have been patched, and probably a lot more manually, which is pretty good going for a piece of software that doesn't automatically update itself or have a license that requires a technical content who can be notified.
I'd guess the percentage of Wordpress sites running a version that needs a critical update is a lot higher.
Exactly the case for my site. I have patched the line 12hour after public disclosure. I have not updated Drupal Core, nor CHANGELOG.txt because there was nothing more than the patched line.
The patch for the security flaw was just a single line of code, manually patching is rather easy in this case.