The phrase you re doing it wrong is a common refrain in the security community these days as people wander around in various states of disillusionment with the technology and processes that have led to what many perceive as a systemic failure. To researcher Claudio Guarnieri, one of the major problems is obvious: we’re completely backward in the way we prioritize protection. Which bugs to fix first and how quickly to patch them should not be based on a CVSS score or criticality rating, but rather on how likely an attacker is going to try and exploit any given vulnerability.
Source: https://threatpost.com/rise-data-driven-security-100112/77061/