Re: analysis paralysis
Excellent phrase, sir. My uncharitable attitude to Vulnerability Management (and pen-testers and auditors) is that they're paid to find and "manage" issues, but not to help fix them.
If a company has a CMDB and a regular patching & hardening program, it's relatively easy to accelerate the process and the schedule to handle out of cycle fixes. If you don't have those in place, you'll waste a lot of time analysing, planning and firefighting.
Posted as AC, but my colleagues in Vulnerability Manglement will probably know it's me anyway - I've said it to their faces a few times.