The science and technology behind vulnerability management has changed a lot in a short time. When originally deployed, vulnerability management companies acted almost like antivirus vendors in that they tried to get their scanners to uncover as many potential threats as possible. They would even brag about being able to detect more vulnerabilities hiding in testbeds than their competitors.
The trouble with that logic is that unlike viruses and other types of malware, vulnerabilities are only potentially a problem. For a vulnerability to be truly dangerous, it must be accessible to an attacker and relatively easy to exploit. So, a vulnerability sitting on an internal resource isn’t much of a potential threat, nor is one that requires additional components like secure access to other network services. Knowing what is truly dangerous is important so that you can plan what to fix now, and what to put off until later or