I'm trying to understand perspectives around Vulnerability Management (VM) scanning. Let's say you VM scan all devices in production environment, disaster recovery environment, and any machine that can connect to said environments at your office. You also work at a budget conscious company. In this scenario, would you:
Purchase additional VM licenses and champion getting every machine at your office setup with a VM scan.
Do not purchase additional VM licenses; continuing VM scans on machines which connect to production environments. Leverage these scan results as a sampling to address vulnerabilities on all machines.
...and what is your reason for why you would choose this?
Everyone is budget conscious. The answer comes down to risk acceptance.
If you don't protect your DR machines to the same level you protect your production machines, you are accepting the increased risk of a failed failover.
If you don't protect your unimportant machines, you accept this risk that they can become attack vectors against your important machines.
If you vulnerability scan only a fraction of your machines, you accept the risk that
... your staff may not equally apply maintenance across the board,
... that some installs failures are false-negatives (e.g. installed successfully, but the PC was never rebooted), and
... you might forget to remediate temporary patch-exemptions.
At my company, we purchase a site-license and install the Vuln scanner on all devices to raise the bar and redirect everyone't time and attention to those risk decisions that are more business-facing. Plus it reduces time pacifying auditors.
VM is a pretty fundamental part of a security program, and making sure you have full coverage of your environment is critical. I'd reallocate budget from something else, or even try scanning lower criticality servers with OpenVAS. Risk rate the servers, apply your commercial product to high risk (such as externally connected) and allow low risk servers to be scanned with something else.
It's like driving at 100 kph down a road. You wouldn't do it if you could only see every fifth car.
So why not use a free open source alternative? Yes, it may not be as robust as your current VM solution, but you can use it to supplement for where you do not have licenses, also you can use it to compare.
I use both our paid solution, and the free solution. The paid solution scans our higher risk assets, and the open source solution scans all of our assets.
Additionally, depending on your setup, if all of your machines are using a baseline template/configuration and you don't have deviations from it, you can just scan the template and not have to worry about the licensing. But becareful with that method as it requires your machines to be exactly the same otherwise you are ignoring machines.