Lowering the risks that common vulnerabilities and exposures (CVEs) pose to organizations can be a costly endeavor — but shifting your team's focus away from the deluge can free up your software engineering efforts and unleash business opportunities while reducing risk, a new report has found.
Aquia co-founder and CISO Chris Hughes noted in a blog report about the new Chainguard report that organizations are being deluged with CVEs. "We’ve already exceeded 20,000 CVEs as of June 2025, with no signs of slowing down," Hughes wrote at his Resilient Cyber blog. "That’s double-digit growth year-over-year, and it's safe to say that organizations' internal vulnerability teams haven’t magically experienced double-digit effectiveness and productivity gains from 2024."
"This means vulnerability backlogs will likely accumulate, leading to missed compliance requirements, deviations from SLAs, diminished trust among customers, and an ever-growing attack surface for attackers."
—Chris Hughes
Roger Grimes, a defense evangelist at KnowBe4, said that every year sets a record for the number of CVEs. Last year, there were at least 40,200 individual CVEs. This year, the industry is on target to break that record, possibly going over 42,000, he said.
“Even at just 40,200, that's 109 per day, day after day, year after year, and every previously announced CVE is something defenders have to worry about and make sure they don't have in their environment."
—Roger Grimes
Tyler Reguly, associate director for security R&D at Fortra, said the CVE cost situation is made worse by many organizations' misunderstanding of risk. "Organizations have gotten it into their heads, due to poorly written standards and benchmarks, that they need to patch every vulnerability, or they patch the wrong vulnerabilities due to poorly selected metrics," Reguly said.
"The reality is that managing vulnerabilities is about managing risk, and there are many vulnerabilities that simply never present a risk to the network."
—Tyler Reguly
Hughes also noted that Verizon’s 2025 Data Breach Investigations Report (DBIR) demonstrated that exploitation of vulnerabilities is on the rise, surpassing phishing and posing a potential threat to credentials abuse, which traditionally dominates.
Here's what your organization needs to know about what the focus on CVEs and vulnerabilities is costing — and how to shift focus to malware to better manage software risk.
[ Download Today: The 2025 Software Supply Chain Security Report ]
The true cost of CVEs in dollar terms
Karen Walsh, CEO of the security firm Allegro Solutions, said organizations should treat CVEs like digital potholes: some serious, and some just a bump in the road. However, she added, most vulnerability management programs have limited insight into what attackers are actually doing in the wild, and most companies have no time to build and test exploits around individual CVEs.
“These two issues reinforce each other as teams try to build, test, and install security updates. Vulnerability and patch management teams end up working from limited insights, which makes prioritization impossible at the worst, or deeply error-prone at best.”
—Karen Walsh
Although the new report doesn’t estimate the average amount spent by organizations on in-house CVE mitigation, it did cite average savings of $2.1 million for organizations that outsource mitigation to a third party. When savings data was filtered by revenue segment, it found that midmarket organizations saw the highest average savings, at $2.13 million annually, followed by enterprise organizations, at an annual average of just below $2 million.
Enterprise organizations can realize significant savings in this category due to the presence of golden-image programs, which often require substantial platform engineering time to maintain those templates. The report noted that the average savings for organizations that outsource their golden-image work is $400,000.
Another area where outsourcing CVE management can save organizations money is in compliance. On average, companies saved $278,000 annually through outsourcing. The report noted that outsourcing compliance not only saves money, but can also increase revenues by enabling companies to tap into new regulated markets.
Shifting focus can unleash business opportunity
Outsourcing CVE management can also unlock critical areas such as increased revenue, faster innovation, and decreased risks. The Chainguard report said that the average unlocked value in the health care sector was $50.4 million, while in the telecommunications sector it was $48.7 million, and it totaled $32.2 million in the consumer and commerce sector.
Despite the benefits of outsourcing CVE management, some organizations persist with in-house management. “Traditionally, that's the way it's always been done,” noted KnowBe4’s Grimes. “It was far easier to do when there were fewer [CVEs]. Old habits die hard.”
Fortra’s Reguly said that having internal resources that understand the environment and organizational needs can greatly improve your efficiency when it comes to vulnerability management. “Consulting with external experts who can help you with prioritizing and understanding risk can be beneficial, but you cannot effectively manage the risk in an environment if you don’t understand the environment," he said.
Allegro’s Walsh said that insider risk is another concern with outsourcing CVE management. “While outsourcing vulnerability and patch management would reduce internal costs, it creates another layer of insider threat risk,” she said. “The organization still needs to review the work to ensure that the contractor didn't make a mistake.”
“Even more risky, attackers can hide as — or compromise — contractors, potentially leading to a new backdoor being built into the patch.”
—Karen Walsh
Shifting focus to malware is now a requirement
The reality of vulnerability management in the age of sophisticated supply chain attacks is that it diverts attention from malware, tampering, and other modern threats. Cracks in the National Vulnerability Database (NVD) have also emerged, making the CVE system less useful.
Because modern vulnerability management relies on working from discoveries of flaws, security practitioners are likely to scramble to catch up on everything that needs to be patched. While they are doing that, security teams are likely not investing time and energy in proactive security measures that can spot software supply chain security threats before they become reality.
Application security (AppSec) teams trying to figure out how to go about security despite the massive changes with the NVD should consider investing in efforts that will broaden their ability to find all kinds of software supply chain security threats — not just exploitable vulnerabilities.
A new study adds force to the argument that it pays to shift from a vulnerability-centric approach. The study, by a Purdue University researcher, shows that the newer Exploit Prediction Scoring System (EPSS), which many organizations are now using to prioritize vulnerability remediation given the NVD/CVE's decline, is not as effective as previously assumed.
The study demonstrates that, like other vulnerability risk-assessment frameworks, the EPSS is useful but not a completely predictive mechanism for protecting against vulnerability-related threats.
By using a modern software supply chain security solution that harnesses the power of binary analysis and reproducible builds, AppSec teams instead focus on actionable information such as active malware, software tampering, secrets exposure, and more. These tools allow organizations to become proactive and better manage risk in an age of increasingly complex software.
Learn more with RL's 2025 Software Supply Chain Security Report, including why you team needs to shift beyond vulnerabilities — and get proactive on software risk with modern AppSec tooling.
