Which statement best explains why CVSS alone is not sufficient for prioritizing vulnerabilities?

CVSS gives a standardized view of how severe a vulnerability is based on its inherent characteristics and how easily it could be exploited, with optional temporal and environmental adjustments to refine that picture. But real-world prioritization needs more context than the vulnerability alone. Asset criticality—how important the affected system or data is to the business—and exploit availability—the likelihood that attackers can or will exploit the flaw in practice—shape actual risk. A high CVSS score on a noncritical asset may be far less urgent than a medium CVSS flaw on a highly valuable, exposed system with active exploits. CVSS doesn’t automatically encode these business and threat-context factors, so relying on it alone isn’t enough to rank remediation effectively. In practice, you combine CVSS with asset value, exposure, threat intelligence about exploits, patch status, and controls to set priorities.