[kerng]

It is a tool to have a discussion, not a solution to risk management. Security is one of the few fields that uses qualitative measurements, and any attempt of applying more quantitative techniques faces a lot of resistance.

CVSS in isolation is pretty good, but for risk management it lacks "context". A higher level framework would be needed for that.

A bug can have a CVSS score of 10 (critical), and still have little to no impact to the business. It's all about context.

I don't think it even ever intended to be more then a data point to consider for risk management but dev