The 2025 State of Vulnerability Management & Remediation Report Reveals that Reactive Approaches and Skills Shortages Plague Organizations
[Vancouver, BC] – [March 6, 2025] Today, ActiveState announced the release of its 2025 State of Vulnerability Management & Remediation Report, revealing critical gaps in how organizations manage and remediate vulnerabilities. This inaugural report, based on a comprehensive survey of more than 300 DevSecOps professionals, exposes the challenges organizations face in today’s complex software ecosystems, including reactive approaches, skills shortages, and an overwhelming volume of vulnerabilities.
One of the report’s key findings is that vulnerable and outdated components are the primary elements affecting organizations’ security posture (cited by 20.26% of respondents). Open-source components constitute a significant portion of modern applications, with studies showing that up to 96% of enterprise applications rely on open-source libraries, often making up 60-80% of the codebase. A single vulnerable library can compromise the entire application, as seen in high-profile breaches like Equifax (2017) and Log4j (2021).
The report highlights that when a vulnerability is discovered, almost half (45.16%) of respondents’ organizations act immediately with a hotfix. This reflects a reactive approach to addressing security threats as they arise, potentially sidelining planned roadmap items and feature enhancements due to the immediate need to address the vulnerability.
The 2025 State of Vulnerability Management & Remediation Report also found that the biggest challenge in achieving faster deployments while maintaining security is balancing speed with security controls (34.07%). Modern organizations face an ever-growing number of vulnerabilities due to the increasing complexity of software ecosystems and the rapid discovery of new issues.
Key findings from the report include:
- A diffusion of responsibility, where remediation efforts are fragmented across different teams without a single point of accountability. Nine percent (9.03%) of respondents indicated that “No One” owns remediation within their organization.
- Over 27% of respondents said that their biggest challenge to responding faster and more securely to vulnerability management is a lack of skills within their teams.
- A failure to integrate security into the software development lifecycle (e.g., through DevSecOps) leads to vulnerabilities being addressed after deployment rather than during development. This reactive approach is significantly more costly, with studies indicating that fixing vulnerabilities in production can be 10 to 30 times more expensive than addressing them during the SDLC1.
To address these challenges, the report recommends that organizations:
- Prioritize open source posture management.
- Understand the true extent of risk with vulnerability blast radius.
- Make smarter decisions with a risk prioritization copilot.
- Fix vulnerabilities faster with a precision remediation pipeline.
“The findings of the 2025 State of Vulnerability Management & Remediation Report underscore the urgent need for organizations to rethink their approach to vulnerability management,” said Scott Robertson, CTO, ActiveState. “By embracing automation, intelligence, and a proactive mindset, organizations can strengthen their security posture, accelerate innovation, and reduce overall risk.”
Learn more about all of the key findings that will empower CISOs and DevSecOps teams to approach the hard conversation about remediating and protecting their enterprise open source security posture and securing their software supply chains.
Download the full report today.
About ActiveState
ActiveState enables DevOps, InfoSec, and Development teams to improve their security posture while simultaneously increasing productivity and innovation to deliver secure applications faster.
We are the only ASPM solution in the market today that offers Intelligent Remediation, which identifies which vulnerabilities to prioritize, assesses the impact of updates causing breaking changes, prioritizes what to fix first, securely builds open source packages from source, and facilitates the build and deploy process to get fixes into production quickly and easily.
All from the trusted partner that pioneered and continues to lead enterprise adoption and use of open source software.
©2025, ActiveState, Inc. All rights reserved.
Contact:
ActiveState
Eric Thompson, Director of Brand Communications
Additional reference:
1Functionize. (2023, January 5). The cost of finding bugs later in the SDLC. Retrieved from https://www.functionize.com/blog/the-cost-of-finding-bugs-later-in-the-sdlc
 
				 
				 
															


