What is high risk?
You are staring at a 10,000 row spreadsheet of vulnerability scanner results…that's 10,000 after filtering for high risk.
You are tasked with managing vulnerabilities on a large network and have a background in penetration testing. Naturally you assume this network will be subject to a nation-state adversary combing through every corner to extract juicy secrets. They will take advantage of every vulnerability to disrupt operations, steal data and intercept payments.
You present your findings to your leadership who have…mild concern…but of course kick it back to you to chase down whatever is "most important." You'll have to figure out which ones are worth fixing. You might try spending hours chasing them down, incurring cost for the company, and end up preventing zero cyber-attacks if they were the wrong ones. Going after everything clearly won't work.
A better approach is to perform threat modeling of vulnerabilities starting with the most likely to be attacked. This makes the obvious starting point anything accessible from the internet. These are the vulnerabilities with the most exposure to attackers; they can access it right now. These servers and websites should get scanned every few weeks to coincide with web site changes.
For internal systems, you need to look at what is the most likely scenario for them to be hit. Probably in your org it isn't actually an APT, it is more likely to be Helen in Sales downloading a ransomware installer that looks for systems to spread to. With this threat model in mind, you focus on outdated operating system vulnerabilities that are common targets for malware.
For any that remain (probably still a big list!), you look for vulnerabilities that would be easier to exploit for a low-sophistication attacker who managed to plug into the network at a remote site. You prioritize simple code execution vulnerabilities which would allow trivial system takeover with only a web browser.
You do NOT focus on further isolated subnets for things like research or manufacturing. The additional segmentation means there are an even smaller set of threats that would make it to them and they should be assessed through a separate project.
Vulnerabilities that matter are not random IPTV devices that might allow layer 2 access to another system. Vulnerabilities that matter are forgotten Windows systems that needed to be patched ahead of a "minor" ransomware outbreaks…this is how you will safeguard your company, not by getting to zero scan results!