Vulnerability management programs have a dirty secret that annual security assessments and compliance audits politely decline to examine: the remediation backlog. Organizations that have deployed vulnerability scanners — Tenable, Qualys, Rapid7 — know their vulnerability count precisely. Most of them have more open vulnerabilities than they will remediate in the coming year. Many have more open vulnerabilities than they will remediate in the next three years at their current remediation pace.