Who is "we", Kemosabe?
"We need to come up with a more dynamic process that takes in the CVSS score, but also factors in knowledge from the system."
Those of us in the business have been doing that very thing for decades, usually without bothering with the CVSS score as the superfluous thing that it is. Got anything new to share with us, Rogers?
(Note: I matters not one whit what you tell Management, all they care about is the bottom line. If your solution can turn a profit, you're Golden. If it's a cost center, they will fight it tooth and nail. Turn broken security into a real, not imagined, cost center (with numbers!) and Bob's your Auntie.)
Biting the hand that feeds IT
