Utilize the CISA's KEV catalogue (or similar)
to highlight and priorities unpatched CVEs that are being actively exploited vs just because they might be exploited some day.
We can't just reboot any box for patching any time we want, so we have to triage how urgent a given patch needs to be applied. We don't want to be impacting the business just to patch a theoretical problem CVE, but if exploits are active, some impact can be accepted. Many CVEs are "patch when you have a chance" (scheduled outage or patch window), whereas others are "Stop Everything and patch now" and a good KEV is the tool to help achieve that.
Andy of KonecnyConsulting.ca in Toronto
Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.