Having spent years at Qualys working on vulnerability risk and remediation management, I have watched the disclosure and remediation cycles from every angle. I have seen vulnerability researchers find a critical flaw in OpenSSH and the industry scramble to respond. I have seen organizations patching Log4Shell when it is not even applicable in production environments. But, more and more, I am watching the gap between when something is known to be exploitable and when it gets fixed stay stubbornly
