Prioritization factors: CVSS score, actively exploited in the wild (CISA KEV = immediate), asset criticality, internet-facing exposure, compensating controls available.
CISA's Known Exploited Vulnerabilities (KEV) catalog = patch within days. CVSS 9+ on internet-facing = patch within 7 days. CVSS 9+ internal = patch within 30 days. Lower scores = per-standard SLA (90-180 days). Context always matters.