We’ve relied on vulnerability scanners to assess our assets and generate reports containing IP addresses and their associated CVEs. CVEs add value but only represent a subset of your risk exposure. They miss critical variables such as the presence and state of endpoint IT management and security controls, making them largely obsolete when relied upon in a vacuum. 

Does it matter how many CVEs you detect if impacted devices have no remediation controls? A modern approach to vulnerability management must transcend the realm of CVEs and encompass exposures related to environmental vulnerabilities—missing endpoint controls, outdated or non-communicative controls, and misconfigurations.