Just as all applications are not equally important, all potential attacks aren’t equally bad. You need more information about those applications to prioritize your actions.
We sometimes talk about threat modeling. At its most basic level, threat modeling is an exercise in “thinking like a hacker” to figure out what an attacker wants to accomplish (the desired “technical impact”) and how to do so (the “attack vector”).
The “technical impact” of an attack is a critical component to your risk ranking. Possible technical impacts include providing the attacker with the ability to read or modify data, conduct a denial of service attack, execute unauthorized code, and gain unauthorized privileges. Your goal is to figure out which is the “worst case scenario” for each of your critical applications so you can later prioritize individual vulnerabilities.
For example, if your business involves a social media application, maintaining uptime, or availability of the application may be critical. A denial of service attack affects revenue by limiting advertising exposures and frustrating users who can’t publish updates to their profile. In this case, vulnerabilities with a high technical impact for reduced availability are prioritized over others. Conversely, if you have an online banking application, you may de-emphasize vulnerabilities with a technical impact of reduced availability. It's much better for the application to be unavailable rather than allowing an attack that might allow the hacker to read or modify data.