30,000+ Vulnerabilities Disclosed: How to Prioritise What Actually Matters

Last year, more than 30,000 vulnerabilities were publicly disclosed, this year will be about the same. Your scanner flagged 487 issues last month, you got three "urgent" vendor alerts this week, your security team is underwater, your IT manager is triaging on instinct, and you're wondering if any of this actually makes you safer.

Here's the uncomfortable truth: it probably doesn't.

Not because the vulnerabilities aren't real. They are. But because when you're drowning in alerts, the natural human response is to either chase everything (and fix nothing properly) or ignore most of it (and miss the one that matters). Neither approach reduces your actual risk.

So let's talk about what does.

Why Vulnerability Fatigue Is Now a Business Risk

Vulnerability fatigue isn't an IT problem. It's a resourcing and decision-making problem that sits squarely in the executive suite.

When your team receives hundreds of vulnerability notifications weekly, three things happen:

• Critical patches get missed because they're buried in the noise

• Resources get wasted fixing low-risk issues while high-risk exposures remain open

• Board visibility disappears because "we patched 200 things last month" tells you nothing about whether you're actually safer

The organisations that get breached aren't usually the ones ignoring security. They're the ones treating every vulnerability alert with equal urgency , which means treating none of them with real urgency.

This is a prioritisation failure, not a technical one and it needs a business-led solution.

Why CVSS Scores Alone Are Not Enough

Most vulnerability scanners use something called CVSS (Common Vulnerability Scoring System) to rate severity. It's a score from 0 to 10 based on how bad a vulnerability could theoretically be if exploited perfectly.

CVSS is useful context. But it has three critical limitations:

Treating all "High" and "Critical" CVSS scores as equally urgent is like treating every weather warning the same. A severe frost warning matters if you're a vineyard. Less so if you run an accounting firm in Auckland.

You need context and that's where modern prioritisation frameworks come in.

What Modern Prioritisation Actually Looks Like

Two frameworks have emerged that help cut through vulnerability overload: CISA's Known Exploited Vulnerabilities catalogue, and the Exploit Prediction Scoring System (EPSS).

CISA KEV: What's Actually Being Exploited

The U.S. Cybersecurity and Infrastructure Security Agency maintains a Known Exploited Vulnerabilities (KEV) catalogue. It's a curated list of vulnerabilities that have been observed being actively exploited in real attacks.

Not theoretically dangerous. Actually being used by attackers right now.

If a vulnerability is on the KEV list, it moves to the top of your queue. Simple as that. These are the ones causing breaches, not just triggering scanner alerts.

EPSS: Predicting What's Next

EPSS (Exploit Prediction Scoring System) uses data and machine learning to predict the likelihood that a vulnerability will be exploited in the wild within the next 30 days.

Think of it as a weather forecast for exploits. A 2% EPSS score means low likelihood. A 90% score means you should probably act today.

Combining EPSS with CVSS gives you a much clearer picture: how bad could this be, and how likely is it to actually happen?

These frameworks don't add complexity. They reduce it. They help your team focus effort where it actually matters instead of chasing ghosts.

Risk-Based Prioritisation for Real Organisations

Here's what good prioritisation looks like in practice. You're weighing four factors:

A high-severity vulnerability in an internet-facing system that processes customer data and appears on the KEV list? That's your number one priority.

A critical CVSS score in a development environment with no external access and no sensitive data? That can wait.

This approach delivers three things executives actually care about:

• Reduced breach risk because you're fixing what matters

• Better use of limited resources because your team isn't chasing everything

• Clear reporting because you can show the board what's been addressed and why

At NSP, this is how we help clients turn vulnerability data into actionable risk management.

What Good Vulnerability Management Looks Like

You don't need perfection you need maturity. Here's what that looks like:

Continuous visibility. You know what's on your network, what's exposed, and what's vulnerable. Not once a quarter , continuously.

Clear prioritisation rules. Your team knows what gets fixed first and why. It's documented, consistent, and tied to business risk.

Ownership and accountability. Someone senior owns vulnerability management as a process, not just a task. There's a defined workflow, and it doesn't live in a spreadsheet someone updates when they remember.

Integration with incident response. If a critical vulnerability is detected, your incident response process kicks in automatically. It's not a separate conversation three days later.

This doesn't require expensive tools. It requires discipline, clear decision-making, and someone who understands how to connect technical vulnerability data to business outcomes.

That's where a virtual CISO or security advisor adds real value , not by buying you another scanner, but by building a system that works.

Where Organisations Get Stuck

Most organisations don't fail because they ignore vulnerabilities. They fail because they approach vulnerability management the wrong way:

Chasing volume instead of risk. "We patched 300 vulnerabilities last month" sounds impressive until you realise none of them were the ones that mattered.

Treating it as a quarterly task. Vulnerability management isn't a project. It's an ongoing discipline, like financial controls or health and safety.

Relying on tools without context. Scanners are useful. But they generate data, not decisions. Someone still needs to interpret that data through the lens of your business, your environment, and your risk appetite.

No board-level oversight. If vulnerability management lives entirely in IT, leadership has no visibility into whether the organisation is actually getting safer or just busier.

These are leadership issues, not technical ones. And they need leadership-level attention.

The Role of a Cybersecurity Partner

A good cybersecurity partner doesn't sell you more alerts. They help you make sense of the ones you already have.

That means:

• Translating vulnerability data into business risk. 

  Not "you have 400 highs," but "here are the five that could actually hurt you, and here's why."

• Applying modern prioritisation frameworks properly. 

  KEV, EPSS, asset criticality, exposure , used in the context of your organisation, not as theoretical exercises.

• Aligning remediation with business operations. 

  Patching during business hours might not be an option for your ERP system. A good partner works with that reality, not against it.

• Supporting continuous improvement. 

  This isn't a one-off assessment. It's an ongoing partnership that evolves as your business and the threat landscape changes.

Our security assessment services start by understanding what actually matters to your business, then building a vulnerability management approach that fits your reality , not a textbook.

More Data Doesn't Mean More Security

You're never going to patch everything. That's not the goal. The goal is to patch what matters and know , with confidence , that you're reducing the risk that keeps you up at night.

Vulnerability management isn't about perfection. It's about focus. It's about turning thousands of alerts into a handful of priorities. It's about making sure the time and money you're spending on security is actually making you safer.

If you're still drowning in vulnerability alerts and you're not sure what to fix first, that's a signal. It means the current approach isn't working.

Let's fix that.