For two decades, the security industry has relied on vulnerability scoring frameworks to solve one of its hardest challenges: deciding what to patch first. Systems like CVSS, EPSS, SSVC, and KEV were built to cut through the overwhelming volume of vulnerabilities and help teams prioritize. The promise was simple: use smarter metrics to prioritize what to fix first, reduce risk, and keep attackers out.
Oh, we’ve written on this before. But now, a new research analyzing 600 Microsoft Patch Tuesday vulnerabilities shows a sobering truth: scoring fails at the only job it was created to do - prioritization. The research exposes a harsher reality: the frameworks don’t agree, they don’t predict, and they don’t protect. Instead of clarity, they generate noise - leaving defenders overworked, under-resourced, and often blindsided.
A quick disclaimer first: while this research is based on 600 vulnerabilities from Microsoft’s Patch Tuesday disclosures - not the most diverse or dynamic dataset - it still surfaces valuable lessons about the limits of today’s vulnerability scoring and prioritization models.
Scoring Systems Don’t Agree
If multiple scoring systems are supposed to guide us, they should at least agree on what matters most.
One of the most striking findings from the study is the lack of alignment between scoring systems. Across the 600 vulnerabilities, only 5 out of the “Top 100” appeared across all frameworks. That’s just 5%. Imagine five analysts each giving you a different top-priority list - you’d be back where you started: guessing.
This means that depending on which metric a CISO chooses to follow, their team could end up patching completely different vulnerabilities. What was meant to be an objective guide has instead become a fragmented, contradictory map.
Predictive Models Miss the Mark
EPSS was introduced to address a critical gap: predicting which vulnerabilities are most likely to be exploited in the wild. In theory, this should make prioritization smarter and more effective. But the research shows results were disappointing:
- 22% blind spot - Nearly a quarter of exploited CVEs weren’t scored by EPSS at all before showing up in CISA’s Known Exploited Vulnerabilities (KEV) list.
- 80% miss rate - Only 1 in 5 exploited vulnerabilities was flagged with an EPSS score above 0.5 in advance.
Attackers don’t follow probability models. They look for opportunities, and this research shows attackers had a four-to-one advantage over defenders relying on EPSS as an early warning system.
When Everything Is “Critical,” Nothing Is
If EPSS fails by missing, CVSS fails by over-warning. More than 50% of vulnerabilities land in “High” or “Critical” buckets. When half the alerts are marked red, there’s no real prioritization. Teams are forced to triage endlessly, trying to separate the truly dangerous from the merely theoretical. Rather than enabling smarter prioritization, CVSS creates alert fatigue at scale.
The Myth of Safe “Low Severity” Vulnerabilities
Perhaps the most alarming insight from the research is that vulnerabilities scored as “medium” or even “low” were still exploited effectively in the wild.
These are the issues security teams are told to ignore or push down the backlog. Yet attackers weaponized them successfully, proving that severity ≠ exploitability. The scoring frameworks downplayed them; attackers didn’t. For defenders, this shows the risk of putting blind faith in any system that encourages ignoring “low” vulnerabilities.
The Outcome: A Fractured View of Risk
Despite all the sophistication built into CVSS, EPSS, SSVC, KEV, and other frameworks, the research shows they rarely agree or predict. Each framework optimizes for something different: CVSS for inherent severity, EPSS for likelihood, SSVC for actionability, KEV for known exploitation. On paper, this sounds complementary. In practice, it’s fragmentation. Instead of producing a unified signal that defenders can rely on, scoring leaves security teams juggling competing numbers with no trustworthy compass.
And this is where the real issue emerges: if the very tools designed to guide prioritization can’t align, then prioritization itself becomes an illusion.
The Illusion of Prioritization
When you step back, the picture becomes clear:
- Scoring frameworks contradict each other.
- EPSS misses real-world exploits.
- CVSS drowns teams in “critical” labels.
- Low scores lull defenders into a false sense of safety.
The net result is not prioritization, but the illusion of prioritization. Security leaders think they are making informed, data-driven patching decisions - but in reality, they are often flying blind.
The outcome for organization is also quite visible:
- Teams drown in conflicting dashboards.
- Analysts waste cycles debating scores instead of fixing code.
- Security budgets balloon, but risk doesn’t go down.
The result is fatigue without actual progress.
Breaking the Cycle: Secure-by-Default Software
What this research really shows is that you can’t win the scoring game. If the scoring model is broken, the answer isn’t another scoring tweak. It’s a shift in strategy.
If the frameworks can’t agree, if predictions miss the mark, and if even low-severity issues turn into breaches, then the only rational conclusion is: stop relying on scores to save you.
The alternative is clear - software that ships secure-by-default. Instead of debating what might matter, start from a place where open source dependencies arrive hardened and already remediated. Secure-by-default approaches remove the need for guesswork. Instead of gambling on which vulnerabilities might matter, every vulnerability is fixed automatically and universally.
Why Backporting Is the Answer
At Resolved Security, we’ve pioneered a way to achieve this secure-by-default through automated backporting of patches into open-source dependencies: delivering open source libraries with vulnerabilities patched - without forcing costly, time-consuming triage & upgrades.
This means:
- Every vulnerability gets addressed, regardless of score.
- Teams don’t waste time debating metrics that don’t correlate with real-world risk.
- Exploitable “low-risk” vulnerabilities don’t slip through the cracks.
At Resolved Security, we believe the only scalable way forward is backporting:
- Scalable: Analysts no longer need to chase noisy scores. The software is already secured at the source.
- Cost-efficient: Save all that Triage, Development and Testing efforts previously invested in dependency upgrades when your tail is on fire.
- Risk-efficient: Solve 8x vulnerabilities, at the best possible MTTR.
Reliable: Protection doesn’t hinge on flawed predictions or broken severity models, and remediation is infinitely safer to your production.
Conclusion: Stop Scoring. Start Securing.
Vulnerability scoring was supposed to solve prioritization. Instead, it has delivered contradiction, false confidence, and missed threats. The research proves what many CISOs already feel in practice: prioritization through scoring doesn’t work.
The way forward is not another iteration of broken scoring systems, but a fundamental change: making software secure-by-default. Only then can organizations move from chasing an illusion of prioritization to achieving real resilience.
