"still ranking bugs from nought to ten"
The CVSS, for all its shortcomings (and there are some) has a resolution of one percent although the support documentation advises that its accuracy may be lower than that. Fair enough, it's handling a lot of rather imponderable parameters. However, no organisation I have ever worked with that used the CVSS has ever calculated the environmental score, which is intended to address the local susceptibility of the target to the technological vulnerability being attacked. Its lack of use is probably why it's remained rather a crude metric as the rest of the CVSS has evolved quite well.
In reality, practically no business for which there's a reliable post-breach incident report has shown up as robust or resilient. Most have been wide open to the supposedly "sophisticated attacks" which have usually turned out to be relatively trivial to execute.
The most important consideration in security is resilience against the unexpected, but almost all proactive effort so far has been directed at modelling the adversary rather than the target. A more sophisticated (and much less purely technocentric) CVSS environmental metric would be an excellent move towards resilience, but only if people were prepared to use it.
Biting the hand that feeds IT
