S&P Global Ratings has highlighted poor corporate vulnerability remediation as a significant risk factor. Analyzing data from over 7,000 rated companies, S&P found that 40% address known system flaws "infrequently," leaving them exposed.

This trend is particularly concerning for persistent vulnerabilities like Log4Shell, which remains popular among cybercriminals. S&P’s analysis revealed that some vulnerabilities have lingered for decades, even in unsupported software, with one instance lasting eight months at a single company, providing ample opportunity for exploitation.

The Verizon Data Breach Investigations Report, cited by S&P, showed a near tripling of vulnerability exploitation in 2023, emphasizing a growing threat. Despite this, not all vulnerabilities pose the same risk. S&P uses the Exploit Prediction Security Score (EPSS) to assess the likelihood of exploitation. The analysis indicated that the average EPSS score among rated companies was 0.33, suggesting a relatively low risk. However, some entities scored much higher, with one company recording an EPSS above 0.9 for a vulnerability rated 5.3 on the CVSS scale, highlighting disparities in risk assessment models.

S&P warned that ineffective vulnerability management could signal broader cybersecurity weaknesses. "Poor vulnerability management might indicate generally weak cyber risk management, which could influence our evaluation of overall management and governance," the agency noted. As cyber threats become more prevalent, companies must prioritize timely remediation to safeguard against potential exploitation.