September 25, 2025
Jeremiah Grossman
%20(3).png)
For those who enjoy cybersecurity brain teasers, here’s a paradox from the world of vulnerability management:
Does fixing a vulnerability always reduce risk?
On the surface, most would say, “It depends.” And without more context, they would be right; there is no valid answer. Which then brings the onslaught of clarifying questions:
Is the asset mission critical? Does it have line-of-sight to other critical systems? Can the vulnerability be exploited remotely? Does it require authentication? Would successful exploitation yield kernel-level access? You get the idea.
Let’s now level the playing field and make things simple with a few basic assumptions.
Picture a corporate network with just one Internet-facing, mission-critical asset. If that system were remotely compromised, the company would take a $1,000,000 financial loss. A vulnerability scan comes back with 5 exploitable flaws, all equal in every way: they’re just as easy to find, just as straightforward to exploit, and they would cause the same degree of damage. Fixing any single one of them carries a remediation price tag of $10,000.
Now let’s revisit the question: Does fixing a vulnerability, any vulnerability, always reduce risk?
The current guidance in the vulnerability management market would predominantly say, “yes.” That’s how the entire industry operates currently. Vulnerability management programs everywhere follow the same script: keep a prioritized list of flaws, patch them as fast as possible, and assume each one closed means less risk.
But is that assumption actually true?
Let’s put this to the test with a simple thought experiment. When you look at a system with 5 exploitable vulnerabilities, a natural question comes up: What’s the total financial risk of loss? Is it $1,000,000? $5,000,000 ($1M x 5 vulnerabilities)? Something else entirely?
The answer may surprise some. It’s $1,000,000.
Why? Because the financial risk of loss isn’t cumulative across multiple vulnerabilities. Whether an attacker has 1 way in or 5, the potential loss remains the same. There’s only one mission-critical asset at stake, and if it falls, the damage is capped at $1,000,000. Extra doors don’t make the building worth more; they just make it easier to get inside.
So with the first question answered, let’s look at our first paradox.
If you remediate a single vulnerability, what happens to the risk? Does it stay at $1,000,000?
And what if you fix 2? 3? 4?
Here’s where the paradox shows itself. Since all 5 vulnerabilities are identical, fixing any subset of them does nothing to reduce the financial risk. It remains locked at $1,000,000. The only time the risk actually goes to $0 is when every single vulnerability is remediated. In other words, the investment isn’t linear. You don’t chip away at the loss potential one fix at a time.
But here’s the good news. If the company chooses to spend $50,000, $10,000 for each of the 5 vulnerabilities, it eliminates the full $1,000,000. That’s a clear win and a strong return on security investment.
Suppose 4 of the vulnerabilities still cost $10,000 each to fix, but one of them comes with a staggering $2,000,000 remediation price tag.
Now here’s the dilemma: if that $2,000,000 vulnerability is left unfixed, because the cost far outweighs the potential $1,000,000 loss, does it make sense to spend money fixing the other 4?
The answer is no. Just like in the first paradox, risk only goes down if every vulnerability is patched. Since the $2,000,000 fix isn’t justifiable, patching the other four won’t reduce the overall financial exposure.
In this case, the smarter move is to think differently: retire the asset, consolidate its functions into another system, or transfer the risk through cyber-insurance if the premiums make sense.
Reducing vulnerability management to dollars and cents forces difficult decisions but also aligns remediation with business goals. And here’s the uncomfortable truth: it is likely that a massive amount of remediation effort today is spent fixing the wrong vulnerabilities, in the wrong order, under the false assumption that risk is being measurably reduced.
If that’s true, it may also explain why only about 1% of all known vulnerabilities have ever been exploited, why the percentage isn’t going up like we want it to, and why adversaries have not been forced to innovate. Instead, they are free to simply scale using the same set of vulnerabilities year after year.
That’s the Paradox: fixing vulnerabilities does not always equate to reducing risk. Sometimes, the math forces you to ask harder questions about strategy, priorities, and whether you’re fighting the battle on the right front.
.svg){kind=small}
.svg){kind=small}
© 2025 Root Evidence