(And 7% of statistics are made up on the spot.) Nonetheless, the wasted energy going into assessing the risk of vulnerabilities that will never cause action should be redirected toward work that actually creates value.
I have heard (often, across multiple top-ten device manufacturers) that 90% of vulnerabilities don't cause any action. And yet there are many obligatory SOPs that require companies to risk-rate every postmarket vulnerability, no matter what product and no matter what it's patching cycle. This is a recipe for extreme worker frustration.
This is often done in the name of compliance. That is bunk. FDA and other global regulators are reasonable*. They wouldn't ask for wasted work with zero evidence of its value. (Note: If your team is blaming the regulator for unreasonable requests, it is usually their lack of freedom to be creative, lack of empowerment, or something else preventing them from finding a solution. Motivate them to find the win-win of business value AND regulatory compliance.)
So how did we get here? In a scramble to transform a hardware industry into a software industry, we lost our way and creative a panic. The best product security leaders know their regulator, have directly helped create the regs, and play the role of soothing product teams to help them adjust and do the right thing without so much waste.
Fortunately, there's a bright side even if your teams have been wasting effort. The journey hasn't been wasted. Now that we have SBOMs, we can start to use vulnerabilities (and other sources of software quality) as lagging indicators of risk to be systematically fixed upstream. Yes, you still have to monitor and manage postmarket vulnerabilities and patch devices on a reasonable schedule. You can do this with drastically less cost and burnout than you have now, while increasing quality and compliance.
But now the focus can turn to systematically improving the process of developing software using SBOMs+vulns as lagging indicators of quality.
~Shannon, the Optimistic Optimizer