alt Hacker News> I'm always curious about the companies that require vendors to report all instances where patches to CVSS 9.x vulnerabilities are not applied to all endpoints within 24 hours.
That sounds like a nigh-impossible requirement, as you've written it.
I suspect the actual requirement is much more limited in scope.
No. It’s extremely common for security standards to be completely out of step with what’s actually viable in an organisation, and for aspects of them to be ignored, unspoken.