Perhaps this may sound harsh, but if you handle large amounts of money and are informed that your software stack allows arbitrary code execution then:
You pull off the plug ASAP.
Better have customers unable to use the service for one day than have the customers lose their money while you stumble trying to figure out how to patch it. This is elementary for any mission critical system. Just imagine your neighborhood nuclear plant delaying the insertion of the control rods during a meltdown because it has to wait for some shinier parts to arrive.
You pull off the plug ASAP.
Better have customers unable to use the service for one day than have the customers lose their money while you stumble trying to figure out how to patch it. This is elementary for any mission critical system. Just imagine your neighborhood nuclear plant delaying the insertion of the control rods during a meltdown because it has to wait for some shinier parts to arrive.