- A lot of effort goes into classifying each vulnerability; Business impact requires undertanding of the organization and communication with clients
- A lot of standards do not use it. For example, PCI-DSS uses CVSS
- Informal methods measure business impact and factors in the consultant's understanding of the business and expertise. But, consultancies might find it difficult to justify the ratings to clients; Very opinionated
- CVSS does not take into account the importance of a given asset. It’s entirely possible that a medium vulnerability on a mission critical server should be remediated before a critical vulnerability on the guest check-in kiosk in the lobby of your corporate headquarters.
Resources: A Case Against CVSS: Vulnerability Management Done Wrong | by Henry Howland | Medium