CVSS explains severity. Business Risk Score explains priority.
CVSS is a valuable technical baseline, but remediation priority also depends on exploit likelihood, exposure, asset importance, data sensitivity and operational constraints.
Why this distinction matters
CVSS answers an important question: how technically severe is the vulnerability? Business prioritization answers a different question: what is the practical risk to this organization right now? Both questions matter, but they should not be mixed into one unclear number.
A vulnerability on an internet-facing production identity system may require emergency remediation even if another system has a similar CVSS score. The difference is context: exposure, business function, data, exploit maturity and available controls.
What changes business priority?
Business priority increases when the affected asset is internet-facing, supports a critical service, contains sensitive data, is known exploited, has high EPSS probability or is hard to patch quickly. Compensating controls may reduce practical exposure, but they usually do not remove the underlying vulnerability.