Gary McCully on signs that your vulnerability management program is failing. An excerpt:
As a security consultant, I have performed my share of quarterly vulnerability assessments for many of our clients. Many times I find a critical vulnerability on one of the client's systems, and contact them to inform them that I recommend the vulnerability be addressed as soon as possible. Three months pass, and once again it is time to perform a vulnerability assessment on the client I found the critical vulnerability on three months earlier. To my amazement, I find that the critical vulnerability I had said should be addressed as soon as possible had not been addressed.