A completable programme design document: ownership RACI, SLA structure, exception framework, and escalation paths for an audit-defensible VM programme.

Your vulnerability backlog is not one number. It is at least nine. Here are the three segmentations that make it a usable security metric.