By Sylvain Cortes
With more than 48,000 new software vulnerabilities disclosed in 2025 alone, managing risk has become increasingly difficult. Yet volume is only part of the problem. Many organisations still prioritise vulnerabilities without sufficient business context, wasting investments and effort and, unknowingly, extending their risk exposure.
The steady rise in disclosed software vulnerabilities, commonly known as CVEs (Common Vulnerabilities and Exposures), is a defining feature of the cyber risk landscape. With more than 48,000 new CVEs reported in 2025, it’s easy to start assuming that the central challenge is simply scale.
The growing volume is certainly an issue, but it can be manageable for security teams that have a mature, efficient vulnerability management (VM) programme. On paper, many organisations appear to have reached the level of maturity needed to stem the rising tide.
Recent Hackuity research with security decision-makers found that 77% have a formalised remediation process in place and 97% operate defined service-level agreements for fixing vulnerabilities. In most cases, activity levels are high, tickets are being closed, and dashboards look reassuring.
However, activity does not automatically translate into reduced exposure. In many cases, what appears to be a thriving VM programme has actually optimised for the wrong things, creating a hive of activity that still leaves the organisation exposed to software vulnerability risks.
Why compliance-driven prioritisation can lead effort in the wrong direction
For many organisations, vulnerability management remains heavily influenced by compliance frameworks. Regulatory frameworks provide essential guidance, especially in a field as strict in its compliance demands as finance.
However, most security regulations were designed to establish minimum security baselines rather than reflect an organisation’s unique exposure. They should provide guidelines, not serve as the ultimate goal.
Yet we found that 43% of organisations still prioritise vulnerabilities primarily through a compliance-driven lens. Only 36% have adopted a genuinely risk-based approach that reflects their own unique risk profile and operational needs.
This distinction can have a significant impact on how vulnerabilities are assessed and addressed. Compliance typically focuses on demonstrating that controls are in place and deadlines are met, while risk-based prioritisation considers exploitability, asset criticality and potential business impact.
For example, there may be two vulnerabilities with the same technical severity score, which makes them equally important on paper. But they could represent vastly different levels of enterprise risk depending on whether they affect a customer-facing revenue platform or an isolated internal test system. This nuance is only apparent with a risk-based mindset.
This is especially important because remediation capacity is limited. Security teams operate under the constraints of time, budget and expertise, and these limits are becoming more apparent as the number of vulnerabilities increases.
If prioritisation lacks business context, these scarce resources are more likely to be misallocated. Hours are spent patching low-impact issues to satisfy audit requirements, while genuinely dangerous exposures may remain unresolved.
The hidden operational strain and extended exposure windows
Running a vulnerability management programme with context-blind prioritisation can have a range of negative effects, many of which aren’t readily apparent. Nearly half (42%) of organisations told us they struggle to prioritise effectively, while the same proportion said false positives and wasted effort are consuming time that should be spent addressing genuine risks.
Compounding this, 46% of organisations reported that the growing volume of vulnerabilities is placing additional strain on security resources.
One of the most telling metrics we saw is that, despite the sense of confidence many enterprises have in their programmes, the average mean time to remediate critical vulnerabilities still stands at four weeks. That’s a month-long exposure window during which attackers can exploit weaknesses before they are resolved.
And with a lack of prioritisation, any number of vulnerabilities in that four-week waiting list could secretly be critical threats leaving the company open to a major breach.
In fact, our research found that that 40% of organisations already report downtime or operational disruption linked to vulnerability pressures. More than a third, 36%, say they have experienced a security incident resulting in regulatory impact, while 26% report data breaches and 25% cite associated legal liability and costs.
Reframing vulnerability management as risk governance
Despite these consequences, more than half (60%) of organisations acknowledge that vulnerability management receives less focus than other IT security initiatives. There is a distinct governance blind spot, especially at board level. Vulnerability management is typically thought of as procedural and routine, but it is a frontline risk prevention capability where failure can have huge consequences.
Addressing this growing risk requires a shift in how vulnerability management is defined, measured and governed. Success cannot be judged solely by compliance or metrics like the number of tickets closed or deadlines met. Instead, organisations must measure whether the exposure of business-critical assets is demonstrably reduced.
That begins with embedding genuine risk-based prioritisation. Vulnerabilities should be evaluated in terms of their exploitability, asset importance and potential business impact. This requires consolidating fragmented detection outputs into a single operational view so that decision makers can see where real exposure lies.
Automation plays a crucial role, but cannot be seen as simply a tool for speed. When used properly, automation enriches, correlates and filters vulnerability data, protecting analysts from overload and improving decision quality. It is notable that 99% of organisations believe improved automation reduces errors and increases efficiency.
Finally, vulnerability management needs clear executive ownership and board-level visibility to ensure it aligns with enterprise risk priorities.
In a high-volume threat environment, ineffective vulnerability management can quickly but quietly escalate into systemic enterprise risk that boards can no longer afford to overlook.
Ultimately, the organisations most at risk are not those facing the highest number of vulnerabilities, but those without a clear line of sight between technical exposure and business impact.
About the Author
Sylvain Cortes is an internationally recognised authority on Identity and Access Management and Active Directory security. He shapes global go-to-market, product marketing, and product roadmap priorities for Hackuity, while championing enterprise vulnerability management. A Microsoft MVP for over 18 years, he brings decades of cybersecurity innovation to the industry.
Source link
#Vulnerability #Management #Enterprise #Risk #European #Financial #Review
