What qualifies a risk as acceptable or not? When should confirmed vulns be fixed by? Perhaps most distressingly, how do we know when a vulnerability has actually been remediated? Vulnerability Management looks different from business to business, but some things are common musts:
A workflow framework that security & dev agree on
Live critical finding notifications
Active remediation monitoring
Visibility throughout ticket lifecycles "from soup to nuts"