Same Vulnerabilities on the same hosts every month ---FAIL
Reports falling on deaf ears.
Something fundamentally wrong with the program. Either the Application owners are not in the loop, or there is no management support for the whole program. Destined to FAIL
Same Category of Vulnerabilities show up every month -- FAIL
being reactive, not proactive
Erratic Vulnerability Management program -- FAIL
Response to Vulnerabilities should not be chaotic. Identify App owners, Identify failure mechanisms, and process to close out a Vulnerability.
Failed PCI scan after a Vulnerability Assessment. -- FAIL
Always establish proper security Baselines.
No metrics to show the program is working -- FAIL
If you don't know where you are going, then you are not making any progress. Metrics are the key to identifying if your Vulnerability MAnagement program is working or Failing. It will help you react quicker, before you hit the Point of No Return.
Vulnerability Scanner gives inconsistent results -- FAIL
Work with your vendor and understand the Vulnearbility scanner's capabilities and limitations. Understand the network architecture, that you are scanning, and tweak it accordingly. This is very important to get consistent reliable results.
False +ves are legitimate Vulnerabilities -- FAIL
If a manual test shows that the false +ves identified by your teams, are actual vulnerabilities, that shows some serious issues with the team.
Vulnerability Scanners are not supplemented with Manual Scans -- FAIL
Automated testing only goes so far. They still cannot think like humans (attackers) and a very good reason, why you should supplement the automated scans, with manual scans.