Researchers looked at a dataset of 23 million vulnerabilities and 1.5 million breaches that occurred in June and July. The researchers wanted to figure out which vulnerabilities were actually being used in active attacks. If you patch the vulnerabilities that are in both Metasploit and Exploit DB, you will have the best chance of fixing the ones that are most likely to be used in an attack, they say. The way that organizations decide which vulnerabilities to patch still depends upon its own priorities, as well as what its main adversaries are.
Source: https://threatpost.com/relax-you-dont-have-to-fix-every-vulnerability/101927/