How useful is CVSS Score in CVE triage - The CVSS who cried wolf
Based on CVSS Score alone you cannot effectively prioritize issues without taking considerable risk. Other than the practically non-existent Low CVSS severity category all have numerous exploited vulnerabilities
We analyzed 750 exploited vulnerabilities so you don't have to
Doing what sounds rasonable is great, but we have data. TL DR: most vulnerabilities that you must patch are in collaboration tools, CMSs, web frameworks, web servers, administrative and developer tools and security appliances. You should also set automatic updates for Windows.