Patching is the security control that everyone agrees is important and almost no organisation does well. CISA’s Known Exploited Vulnerabilities (KEV) catalogue, available at cisa.gov/known-exploited-vulnerabilities-catalog, is the closest thing the industry has to a real-time threat-driven patch list, and the median enterprise lags the KEV by months for internet-facing systems and longer for internal ones. The gap is not because nobody knows the patches matter. It is because patch management as practised in most organisations is structurally broken.
What goes wrong, in five categories
Discovery fails. The organisation does not know what it owns. The IT-managed asset inventory misses the marketing team’s WordPress instance, the developer’s exposed Jenkins, the legacy ESXi host the previous admin "forgot," the IoT camera in the warehouse. Internet-facing exposure scans from Censys and Shodan routinely surface assets that the asset-management database does not.
Severity prioritisation fails. The CVSS score is treated as the primary input, even though CVSS measures theoretical severity and not actual exploitation. CVE-2017-11882 (Microsoft Office Equation Editor) had a CVSS of 7.8 and was exploited en masse for years. CVE-2023-23397 (Outlook NTLM leak) had a CVSS of 9.8 and was exploited by APT28 within days. Treating both as equivalent is wrong; treating CVSS-9.x as the only thing worth patching this quarter is also wrong.
Application of patches fails. Vendor-provided patches break things, kernel modules, driver chains, application compatibility, and the operational team has been burned often enough to slow-roll deployment. Some of this is risk-aversion; much of it is justified institutional memory.
Closure of the patch fails. The patch is applied to 90% of hosts. The remaining 10% (long-running batch jobs, kiosks, isolated networks, executive laptops) accumulate over years and become the attack surface that succeeds.
Verification fails. Nobody is testing whether the patch actually closed the vulnerability. Some patches are applied but require service restart, registry change, or follow-up configuration. Vulnerability scanners report that something is still vulnerable; the patch ticket is closed because the rollout completed.
Better signals than CVSS
The thing that actually separates "we are exposed to this" from "we are not" is exploitation behaviour. Two data sources are essential:
CISA KEV. The KEV catalogue lists vulnerabilities for which CISA has confirmed in-the-wild exploitation. Federal agencies are required to remediate KEV entries within 14 days of inclusion (BOD 22-01). The KEV is the highest-priority patch list any organisation can operate against, and it is free.
EPSS. The Exploit Prediction Scoring System, run by FIRST.org (first.org/epss), publishes a daily probability score for each CVE indicating the likelihood of exploitation in the next 30 days. EPSS distinguishes the CVSS-9.x vulnerability nobody is using from the CVSS-6.x vulnerability that is being mass-exploited today. Combining EPSS percentile, KEV listing, and CVSS gives a credible prioritisation function.
A pragmatic prioritisation hierarchy:
Immediate (24-72 hours): on KEV, internet-facing, no compensating control.
Urgent (within 7 days): on KEV, internal, or high EPSS percentile (top 5%) and exploitable.
Standard (within 30 days): high EPSS percentile, or vendor-rated critical with reachable attack surface.
Routine (within quarterly cycle): everything else.
This is the model used by mature operations and recommended in NIST SP 800-40r4 (nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r4.pdf).
What internet-facing means in 2026
Edge devices, file transfer products, identity providers, VPN concentrators, and email gateways have been the consistent top-targeted asset classes for the past five years. The mass-exploitation campaigns of recent memory all hit one of these:
MOVEit Transfer (Cl0p, 2023): file-transfer product on the perimeter.
Ivanti Connect Secure (multiple actors, 2024): VPN appliance.
Citrix NetScaler / "CitrixBleed" (multiple, 2023-2024): remote-access gateway.
Fortinet FortiOS (multiple, 2024): perimeter firewall.
Microsoft Exchange (ProxyShell, ProxyNotShell, etc., 2021-2023): email and identity gateway.
The common feature is that these products sit on the internet, run complex code, are slow to update, and provide direct lateral access to the rest of the network when compromised. They deserve a different patch cadence than internal Windows workstations. Many organisations apply the same monthly cycle to both.
Compensating controls when patching is impossible
Some systems cannot be patched on a fast schedule. Industrial control systems, medical devices, embedded equipment, and legacy applications often have to coexist with vulnerabilities for months or years. Compensating controls become the substitute:
Network isolation. Place the unpatchable system in a microsegment that talks only to a small set of authorised peers. East-west traffic blocked or alerted on by default.
Virtual patching. Web Application Firewall and IPS rules that block exploitation traffic at the edge, while the underlying application remains vulnerable. Useful as a stopgap, dangerous if treated as a permanent solution.
Identity gating. ZTNA front-ending the application, requiring strong authentication and device posture. The vulnerability still exists; the population of attackers who can reach it shrinks dramatically.
Behavioural monitoring. EDR or network telemetry tuned for the specific exploitation pattern. Less reliable than removing the vulnerability, but better than nothing.
What good looks like
The organisations that patch well share a small set of properties: they have an authoritative asset inventory that is wired into vulnerability scanning; they prioritise by KEV and EPSS in addition to CVSS; they maintain an explicit risk register for unpatchable systems with compensating controls; they validate patch closure with re-scan rather than ticket completion; and they treat internet-facing assets as a separate, faster cadence than internal endpoints.
None of this is novel. It is published in NIST SP 800-40 and CISA’s Cybersecurity Performance Goals. The reason it remains rare is that it requires organisational discipline, not new tools. The patch problem in 2026 is not technical. It is governance.