Security Debt Is Growing Faster Than Companies Can Fix It. Here Is What That Means.
Eight in ten organisations are sitting on a backlog of unresolved security flaws that stretch back more than a year. A practical framework, first outlined in CSO Online, explains how to turn that problem into a board-level conversation.

Key points
- 82% of organisations carried security debt (unresolved software flaws older than one year) as of the latest research period.
- The share of vulnerabilities rated both severe and likely to be exploited is rising year over year.
- 11.3% of discovered flaws carry both high severity and high exploitability, making them the most urgent category.
- Remediation capacity, meaning the actual ability to fix flaws, is the binding constraint, not the ability to find them.
- Security debt affects regulatory standing and the ability to release software safely, not just technical operations.
Finding problems is no longer the hard part. Eight in ten organisations, 82% by current research, now carry what analysts call "security debt": software flaws that were discovered but never fixed, sitting unresolved for more than a year. The backlog keeps growing.
Think of it like financial debt. Left unmanaged, it compounds. Costs show up as delayed product releases, emergency repair work, failed compliance audits, and the expense of responding to an actual breach.
The gap is not between knowing and not knowing. Organisations have better tools than ever for spotting flaws in their software and the third-party code those applications depend on. The gap is between finding and fixing.
What should an ordinary business leader take from this?
The binding constraint is remediation capacity: the engineering time and tooling budget set aside to actually close vulnerabilities after they are found. When new flaws arrive faster than teams can patch them, the backlog expands and the window for criminals to exploit those flaws grows wider.
Not every flaw carries equal risk. Security teams use a scoring system called the Common Vulnerability Scoring System, or CVSS, which rates how serious a flaw is on a numerical scale. Useful, but incomplete. CVSS does not tell you whether a flaw sits inside a system that processes customer payments, or whether criminals already have a working method to exploit it.
Research cited in the framework puts a sharper number on the problem: 11.3% of all discovered flaws combine high severity with high exploitability. That subset deserves a disproportionate share of attention.
The practical recommendation is to layer two filters on top of standard scoring: how reachable is this flaw, and how important is the system it lives in? Apply that filter and most organisations end up with a short, focused list of flaws that genuinely need immediate action.
The same logic applies to which applications get priority. Every organisation has what practitioners call "crown-jewel" systems: customer-facing services, revenue-critical platforms, anything that handles sensitive data. Fixing flaws there first produces the biggest reduction in real-world risk.
For executives, the metrics that matter are not counts of flaws found or patched. Useful context, but they tell you nothing about whether risk is going up or down. More informative: how many high-exploitability flaws sit open in critical systems right now, and how old are they?
Investment in remediation capacity can take several forms: dedicated engineering time ring-fenced for security work, automated tools that suggest or apply fixes, and policies that stop new high-risk flaws from reaching production in the first place.
If you are a customer of any large software-dependent business, none of this requires action on your part today. But if a company you use announces a data breach, check whether your account credentials or payment details were involved and change passwords on any shared accounts promptly.



