How do you decide which security findings to fix first when deadlines are tight and resources are limited?