Recent events have shown, that vulnerability management is lacking even in large organizations, exposing vulnerabilities which has led to significant downtime, loss of personal data (PII) and the associated financial and reputational consequences. This leads me to believe that vulnerability management is somewhat detached from the risk management process.

https://www.linkedin.com/pulse/its-all-risk-vulnerability-management-michael-christensen/