Why many vulnerability management functions are handled by finance or corporate, and not security