A common practice that most organisations adopt as part of their security hygiene is identifying vulnerabilities on their machines and patch them as soon as one is made available. What we discovered was that the most critical vulnerabilities often get patched first before the other severities are looked at.
Without fully understanding the exposure of these exploits and its connectivity to other systems, severity levels may offer a false sense of security since an attacker could leverage multiple low and medium exploits and eventually find their way to the crown jewels.
Therefore, it is important to have a complete view of the connectivity to these vulnerabilities so that patching of systems that are highly connected despite having a lower severity vulnerability, could potentially be prioritised.
Taken independently these vulnerabilities might each be Low or Medium severity but when combined together the result is an attacker who can gain remote access with administrator level privileges which many organizations would (or at least should) consider high risk.