How do you prioritize which vulnerabilities to patch first when a new scan report generates hundreds of findings?