I read about a product that promises to map security vulnerabilities to common enterprise compliance mandates. While this would, in theory, enable vulnerability remediation to be prioritized based on compliance needs, is this approach recommended? Shouldn't vulnerabilities be prioritized and remediated based on the risk they pose to the organization?