With only about 15% of vulnerabilities actually exploitable, patching every vulnerability is not an effective use of time.