Several years ago, risk-based cybersecurity was a largely untested and hotly debated topic. But the tests have since been administered and the debate largely settled: risk based cybersecurity produces proven results. The research shows that, on average, about 5 percent of vulnerabilities actually pose a serious security risk. The time it took companies to patch half of their high-risk vulnerabilities was 158 days in 2019, this year, it was 27 days. Last year, about two-thirds of companies using a risk-free system reduced their vulnerability debt.
Source: https://www.helpnetsecurity.com/2021/05/03/risk-based-vulnerability-management/