Prioritize these vulnerabilities
Only 2%-7% of published vulnerabilities are seen exploited in the wild.
If you focused your remediation efforts on these, you would sort CVSS entries for:
- Code execution or SQL injection vulnerability
- Remotely exploitable
- In a Microsoft product
- With an exploit available on ExploitDB, Metasploit, or GitHub
- A CVE that has a higher number of external references
- Requiring no privileges
Remediate vulnerabilities that are known to be exploited first.
If you start there, you'll get 80% of returns for 20% of the efforts.