In the real world, a database with sensitive information may have a few critical vulnerabilities from time to time, in-between patch cycles, and be considered a critical risk when they are present regardless of the accounts identified. When patch remediation occurs, the asset may still be high risk, if privileged access is not managed, and will drop in risk if privileges are session monitored and access controlled.