Take any modern-day network and scan it for vulnerabilities. You'll be overwhelmed and find tons of vulnerabilities. Now, if you keep scanning the network, say monthly, then your inventory of vulnerabilities will keep growing rapidly. If all these vulnerabilities are presented as is to the senior management, then this will not be of any help. Senior management is more interested in some precise information that would be actionable.

A typical vulnerability scanner may find 100 vulnerabilities in a particular system. Out of 100, 30 may be false positives, 25 may be informational, 25 may be low severity, 15 may be medium severity, and five may be high-severity vulnerabilities. Naturally, out of 100 reported vulnerabilities, the five high-severity vulnerabilities are to be addressed as a priority. The rest can be taken care of later as per resource availability.

So, unless a vulnerability is scored, it cannot be assigned a severity rating and hence it cannot be prioritized for fixing. The C-level executives would also be interested to know which are the most high-severity vulnerabilities within the organization. Scoring the vulnerabilities would thus help in getting the right attention and support from senior management in terms of project visibility and resource management. Without scoring, it would be impossible to prioritize vulnerability mitigation and closure.