I also made a meme with the cool Yusuf Dikeç. 
Every vulnerability existing in the infrastructure must be detected. For each detected vulnerability, a patching task must be created.
This is the base. And when they tell you that you don’t have to do this because there is some super-modern vulnerability assessment and prioritization tool, you should be skeptical. 
I watched a joint webinar by Vulners and RST Cloud about Vulnerability Prioritization.
Kir Ermakov from Vulners spoke about the importance of prioritizing vulnerabilities (especially for MSSP companies, since they are responsible for customer security) and how it can be improved using dynamically updated AI Score v2. I really liked his phrase: “if you don’t know your assets very well, turn off the webinar and go do Asset Management”. Asset Management is the base. 
Yury Sergeev from RST Cloud told how, when prioritizing vulnerabilities, take into account data on the exploitation of vulnerabilities in real attacks (in your location, in your industry, for your attacker profile). He provided a formula and demonstrated how taking these factors into account affects prioritization. I liked his regreSSHion example: there is a lot of hype, but the attack is very noticeable and takes a lot of time, so the exploitation is unlikely to be widespread.
An idea worth a million Hamster coins. 
Website/app to tap on CVEs. But it will make sense to tap not on all CVEs, but only on those that should have a confirmed exploit or sign of exploitation in the wild within the next week.
When such a sign or exploit does appear, distribute coins to those who have been tapping on this vulnerability for the last week. In proportion to the number of taps, the criticality of the vulnerability, etc.
And based on the analysis of these taps, it will be possible to make forecasts on the exploitability of vulnerabilities. With the help of AI, of course.
I am sure that this will work much better than EPSS and social network fortune tellers.
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.