These "rating agencies" are becoming more and more prevalent and can be used by customers and cyber insurers. SecurityScoreCard and BitSight are two of the originals. Each has their own "scoring algorithm" for multiple risk vectors. Hint: watch for their algorithms to be "improved" this fall.
If you don't know what "assets" you have on the Internet then they are good at DISCOVERY and rating them. Getting your grade/score to change is SUBSTANTIAL work, especially if your assets are in the thousands and you have hundreds of dev teams. Plan to assign multiple FTEs to move your grade. But you may ask does moving the grade up fix systemic problems? No. Ultimately, fixing dev processes, CI/CD automation, and everything else they say is wrong with your infrastructure, DNS, web apps, and mobile apps etc is the root of the problem that needs to change in your organization. Good luck. You are going to need it.