Let's try to look through the eyes of the folks on the ground. Even if we have a complete inventory of systems and applications, as well as an understanding of labeling the classification of data, the sheer amount of reporting that comes from several services can be overwhelming. 

The following is an example of how one application can have multiple findings from multiple assessments:

This dilemma only gets more complicated as we add more applications and systems into the mix.

A further analysis needs to be done for the stakeholder, to help them understand which high severity vulnerability needs to be fixed first. Also, a further analysis needs to be done for the stakeholders to understand which application should be fixed first.