Is Vulnerability Management more about Vulnerabilities or Management?

I’ve just read a nice article about Vulnerability Management in the Acribia blog (in Russian). An extract and my comments below.

In the most cases Vulnerability Management is not about Vulnerabilities, but about Management. Just filtering the most critical vulnerabilities is not enough.

Practical Cases:

1. “Oh, yes, we know ourselves that that everything is bad!” - CVE-2013−4786 IPMI password hash disclosure on > 500 servers. Customer just accepted the risks, Acribia proposed an effective workaround (unbrutable user IDs and passwords)._ It’s often hard to figure out right remediation measures and implement them. Someone should do it!_
2. “We can download OpenVAS without your help!” - CVE-2018-0171 Cisco Smart Install RCE on 350 hosts. Vulnerability detection rules of several Vulnerability Scanners were not good enough to detect this vulnerability. Do not rely on scanners, know how they work and their limitations.
3. “If the attackers wanted to hack us, they would have already done it!” - CVE-2017-0144 (MS17-010) Windows SMB RCE on domain controller and several other critical servers. Vulnerability was detected in infrastructure several times, the remediation was agreed with the management, but it was ignored by responsible IT guys. As a result, during the next successful WannaCry-like malware attack the servers, including the DC were destroyed. Vulnerability Management is about the willingness to patch anything, very quickly, as often as required. Otherwise, it makes no sense.