Security teams have never had more vulnerability data. Scanners run continuously. Reports stack up. Backlogs grow. Yet breach rates haven’t meaningfully declined.
Most vulnerability programs optimise for volume, not exposure. They measure how many vulnerabilities are identified or closed, rather than how long critical assets remain exposed to known attack vectors. A vulnerability discovered and catalogued does nothing to reduce risk. An exposure closed and verified as remediated does.
The Vulnerability Paradox
In 2024, over 40,000 new CVEs were published (Rapid7, 2025) — representing a 38% increase from 2023. The National Vulnerability Database backlog exceeded 25,000 unprocessed CVEs as processing rates struggled to keep pace. Meanwhile, vulnerability remediation velocity creates a structural deficit where new findings accumulate faster than existing ones can be addressed.
The more effectively teams scan, the longer their backlogs grow. Orro observes security teams being busier than ever — running more scans, generating more tickets — yet feeling less confident about their actual security posture. The question “are we more secure than last quarter?” rarely has a clear answer, despite hundreds of hours invested in vulnerability management.
Why Backlogs Persist Despite Increased Tooling
Enterprise vulnerability backlogs now represent a persistent operational challenge, with a significant proportion of discovered vulnerabilities remaining unpatched after 12 months. This persistence is the predictable outcome of volume-based prioritisation.
Compliance drives scanning frequency, not remediation velocity. Most frameworks mandate regular scanning without meaningful remediation SLAs or contextual prioritisation. Teams optimise for what’s measured — scan coverage, finding identification — rather than exposure reduction.
Scanners produce findings; infrastructure teams manage change windows. The disconnect between continuous detection and remediation capacity guarantees backlog growth unless active prioritisation bridges the gap.
Poor risk signalling makes everything feel urgent. When CVSS scores are the primary metric, hundreds of “high” and “critical” findings demand attention. Without better context — exploitability, asset criticality, compensating controls — everything looks important, so nothing gets truly prioritised.
Orro sees the operational breakdown here. Security teams generate endless spreadsheets attempting to manually add context to scanner output. The work required to answer these questions for every finding exceeds organisational capacity, so teams default to heuristics that measure convenience or compliance, not exposure.
Why Volume-Based Prioritisation Fails
Misaligned effort. Research shows that only a small fraction of all published CVEs are exploited in the wild. CISA’s Known Exploited Vulnerabilities catalog (CISA, 2026) lists approximately 1,275 vulnerabilities confirmed as exploited in real attacks — a small fraction of the total CVE database. Time spent remediating low-probability vulnerabilities is time not spent reducing high-impact exposures.
False confidence. Vulnerability metrics measure activity rather than security improvement. Teams report “90% of critical vulnerabilities remediated within SLA” without clarifying what percentage of the estate was scanned, which critical assets were included, or whether remediation was verified. A clean report doesn’t mean secure systems — it means the scanned subset met measurement criteria.
Remediation fatigue. When backlogs persist despite sustained effort, teams experience burnout. Security professionals report high stress partly due to overwhelming workloads that never meaningfully decrease. No team can close vulnerabilities faster than modern environments generate them, especially when the prioritisation framework treats all findings as important.
Evidence Snapshot
On vulnerability volume and exploitation
– In 2024, over 40,000 new CVEs were published, a 38% increase from 2023 (Rapid7, 2025)
– Research indicates approximately 60% of data breaches stem from known, unpatched vulnerabilities where patches were available but not deployed (Automox, 2024)
– CISA’s Known Exploited Vulnerabilities catalog contains 1,275 vulnerabilities confirmed as exploited, a small fraction of the total CVE database (CISA, 2026)
On vulnerability backlogs and remediation speed
– The Australian Cyber Security Centre responded to over 1,200 cyber incidents in FY2024-25, an 11% increase year-on-year, with some organisations taking over 520 days to detect intrusions (ACSC, 2025)
– The National Vulnerability Database backlog exceeded 25,000 unprocessed CVEs as processing rates failed to match discovery rates (Rapid7, 2025)
– Research indicates approximately 60% of data breaches stem from known, unpatched vulnerabilities where patches were available but not deployed (Automox, 2024)
What Exposure-Driven Security Looks Like
Exposure-driven security shifts the objective from “close vulnerabilities” to “reduce exploitable exposure.” Exposure-driven security is defined by three foundational principles: measuring exposure duration rather than finding count, contextualising by exploitability and asset criticality, and validating through actual remediation rather than ticket closure.
Governed by exposure duration, not finding count. Instead of tracking “number of critical vulnerabilities remediated this month,” exposure-driven programs measure “average days of critical exposure per asset” or “percentage of business-critical systems with zero high-confidence exploitable exposures.” These metrics focus attention on risk reduction rather than activity.
Contextualised by exploitability and asset criticality. Not all critical vulnerabilities create meaningful business risk. Exposure-driven prioritisation considers whether the vulnerability is actively exploited in the wild, whether the affected system is internet-accessible, whether it processes sensitive data, what compensating controls exist, and how quickly exploitation could impact operations. This approach mirrors Orro’s philosophy on risk-based decision-making across all operational domains.
Validated through actual remediation, not ticket closure. Exposure isn’t eliminated when a ticket is marked “closed” — it’s eliminated when the vulnerability no longer exists and that state has been verified. This distinction matters especially for complex vulnerabilities requiring multi-step remediation or business logic changes that scanners can’t automatically verify.
Operational Realities Orro Sees
Long-lived high-risk exposures. Critical vulnerabilities often remain open not because they’re unknown, but because remediation complexity exceeds team capacity. These require coordination across multiple teams, testing, and careful deployment during maintenance windows. The backlog doesn’t reflect these as fundamentally different from scanner findings requiring a simple config change. Like network infrastructure optimisation, the real work begins after deployment — not before it.
Remediation focused on easy wins. When teams can’t clear their entire backlog, they optimise for velocity rather than impact. Low-hanging fruit gets addressed first. High-impact exposures requiring architectural changes or vendor engagement slip down the priority list. Teams look busy, metrics trend positively, yet the exposures attackers actually target remain unaddressed.
Lack of shared risk language. Security teams speak in CVEs and CVSS scores. Infrastructure teams speak in change requests and maintenance windows. Application teams speak in sprint capacity. Without a shared language for risk that connects vulnerability data to business impact, remediation remains a negotiation rather than a coordinated response to genuine exposure.
Moving Beyond Volume
Measure what matters: exposure duration on critical assets. Define a subset of systems — those handling sensitive data, supporting critical business processes, or accessible from untrusted networks — and measure their exposure state continuously. Track days since last successful exploitation attempt, percentage of critical systems with zero high-confidence exploitable exposures, and mean time between detection and verified remediation for exploited vulnerabilities.
Prioritise by exploitability, not just severity. Integrate threat intelligence, exploit availability, and active exploitation data. CISA KEV (CISA, 2026) provides a curated list of actively exploited vulnerabilities. A critical vulnerability with no public exploit affecting an internal system warrants different urgency than a moderate vulnerability actively exploited against internet-facing infrastructure. The Australian Cyber Security Centre recommends (ACSC, n.d.) organisations implement risk-based patching approaches that prioritise actively exploited vulnerabilities.
Verify remediation, don’t assume it. Treat remediation as complete only when verified closed, not when marked resolved in a ticket system. This surfaces configuration drift, incomplete deployments, and edge cases that reintroduce exposure.
What Leaders Should Reassess Now
If vulnerability backlogs continue growing despite increased effort and tooling, security leaders should ask:
- Which vulnerabilities actually expose critical assets to exploitation?
Not every finding in the backlog represents meaningful risk. Identify which systems process sensitive data, support critical operations, or sit on trust boundaries — then prioritise exposures affecting those assets above all others. - How long are we exposed, not just how many issues exist?
Exposure duration is the attack window. A system vulnerable for 90 days represents materially higher risk than one vulnerable for 7 days, regardless of backlog size. Measure and optimise for speed to verified remediation on critical paths. - Do remediation teams understand why something matters?
Without clear risk context — exploitability, business impact, threat intelligence — infrastructure teams lack the information needed to make intelligent trade-offs. Security teams must provide more than severity scores; they must articulate business risk in operational terms.
The goal isn’t to close every vulnerability. It’s to minimise the window during which attackers can exploit genuine weaknesses in critical systems. That’s exposure reduction. Everything else is activity.
If vulnerability remediation feels disconnected from real risk, Orro works with organisations to refocus security efforts on reducing exposure — not just processing findings. We help security leaders build programs that deliver genuine risk reduction rather than compliance theatre, connecting vulnerability intelligence to business context in ways that enable effective prioritisation.
Sources & Further Reading
- Rapid7. (2025). Work Smarter not Harder with Rapid7 Remediation Hub.
- CISA. (2026). Known Exploited Vulnerabilities Catalog.
- Automox. (2024). Bad Cyber Hygiene: 60 Percent of Breaches Tied to Unpatched Vulnerabilities.
- Australian Cyber Security Centre. (2025). Annual Cyber Threat Report 2024-2025.
- Australian Cyber Security Centre. (n.d.). Patching applications and operating systems.
- Australian Signals Directorate. (n.d.). Cyber Security.
