Anything regulated / FedRAMP etc has timelines for security issues and they simply don't care how you can explain it. It's just 'fix it'.