Dr. Yonesy F. Núñez is the CISO of Surf AI and a six-time CISO across financial services, fintech, and agentic AI.
For two decades, enterprise cybersecurity has run on a simple loop. Find the flaw. Name the flaw. Score the flaw. Fix the flaw. That loop is breaking, and most companies do not yet know it.
Earlier this year, NIST formally acknowledged that the National Vulnerability Database can no longer keep pace with new submissions. Tens of thousands of CVEs are being moved to a “Not Scheduled” category. The pre-March 2026 backlog has been effectively abandoned. The agency is now triaging only what the CISA Known Exploited Vulnerabilities catalog flags, what federal software requires and what Executive Order 14028 designates as critical.
For most organizations, that is not a footnote. It is the foundation. NVD enrichment feeds vendor scanners, the dashboards built on those scanners, the audit reports built on those dashboards and the executive narratives built on top of those audit reports. When the foundation cannot scale, every layer above it inherits the gap.
This is happening at the same moment AI is industrializing vulnerability discovery. Frontier models have already validated hundreds of high-severity zero-days in production open-source code, including a Linux kernel bug that had been sitting unnoticed since 2003. Autonomous systems are topping bug bounty leaderboards. Research estimates that AI vulnerability research capability is doubling every four months.
Discovery is no longer the constraint. Remediation is. And the gap between what we can find and what we can fix is widening every quarter.
The Economics Were Broken Before AI
Even before AI accelerated discovery, the vulnerability management market was structured around the wrong incentive. Vendors get paid to reveal problems. Enterprises pay to fix them. That asymmetry built an industry that rewards visibility and tolerates backlog.
Inside large organizations, the result is familiar to every CISO. Security teams present thousands of critical and high findings. Engineering leaders push back, citing legacy systems, testing windows and operational risk. Executives see red dashboards but rarely see a clean business case for what to fund first. The backlog becomes permanent. It gets reported as a control gap. It is actually a scaling failure.
That failure was tolerable when discovery moved at human pace. It is not tolerable now.
Severity Is Not Risk
The deeper issue is conceptual. CVSS, the scoring system used to rate the severity of vulnerabilities, was never designed to be a business priority model. A high CVSS score on an isolated internal system can be less urgent than a medium score on an internet-facing system tied to customer identity, payments or regulated data.
Real risk depends on context. Is the system exposed? Is the vulnerability actually exploitable in our environment? Is the asset material to the business? Are existing controls already blocking the attack path? Are adversaries using this technique today?
The current model flattens that context into colored cells on a dashboard. It creates urgency. It does not create an investment plan.
The Conversation That Needs To Change
After six CISO seats across financial services, fintech and now agentic AI, the question that matters has not changed. It has just been asked the wrong way.
We keep asking how many criticals we have. The right question is how much material exposure we can prove, and how much a defined investment would remove.
An honest conversation about software risk should sound like this. We have identified 12 verified exploit paths into systems that touch regulated data or core revenue. Six of those involve vulnerabilities on the CISA Known Exploited list. Four affect systems carrying customer identity. A defined investment of X over Y quarters eliminates eight of them and reduces residual exposure on the remaining four to a level the business has consciously chosen to accept.
That is not a dashboard. That is a decision.
It also forces a more honest internal conversation about what cannot be remediated, which compensating controls actually hold up under attacker pressure, and what residual risk the enterprise is choosing to retain. Regulators are moving in this direction. Companies should get there first.
The New Model
Three shifts will define the next generation of vulnerability management.
First, exploitation-weighted prioritization replaces CVSS-driven prioritization. Known exploitation telemetry, EPSS, runtime reachability and asset materiality become the primary inputs. CVSS becomes a vocabulary, not a priority order.
Second, the unit of measurement changes. Not findings opened or closed, but verified exposure paths reduced. Every quarter, every executive briefing, every regulatory submission should answer the same question. Did material exposure go down or up.
Third, supply chain compromise gets its own seat at the table. The biggest open-source incidents of the past year did not exploit code vulnerabilities. They compromised maintainer credentials, package publishing tokens and CI/CD trust workflows. That is a governance and identity problem, not a CVE problem, and the controls live in an entirely different operating model.
The Takeaway
The old vulnerability system was a real achievement. It gave the industry a common vocabulary for software flaws and turned hidden weaknesses into public knowledge. But public knowledge is no longer enough. The system now finds vulnerabilities faster than anyone can enrich them, contextualize them, rank them or fix them.
The old model counted problems. The new model proves which problems matter, funds the work to retire them and tells leadership honestly what residual risk is being accepted in return.
That is the conversation the next decade of cybersecurity will be measured by. The companies that get there first will set the standard. The ones still managing to a colored dashboard will be answering for it.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
