Kenna’s open source Exploit Prediction Scoring System Calculator (EPSS) threat calculator is a significant advance in risk theory beyond using the Common Vulnerability Scoring System (CVSS) on its own
For example, CVE-2019-0708 (Remote Desktop Services Remote Code Execution Vulnerability: May 14, 2019) has a EPSS threat score of 95.2% being exploited in the next 12 months, with a CVSS score of 9.8 (Critical).
That might be an obvious outcome, but it hopefully illustrates some of the importance in adding threat data to the vulnerability remediation timeline.
The real trick is finding CVSS that are low with EPSS that are high because that indicates a risk perception imbalance that quickly can lead to disaster.
On top of this advancement, consider also the riskquant tool recently released that does basic likelihood/severity mapping that probably has been debated in every disaster recovery planning audit meeting for the last 20 years let alone NIST SP 800-30.
…annualized loss is the mean magnitude averaged over the expected interval between events, which is roughly the inverse of the frequency (e.g. a frequency of 0.1 implies an event about every 10 years)…
Both tools are meant to help move from point scores of severity to trends of probabilistic likelihood and should be given a look sometime in the near future.