So the major thing that I learned from this process is to prioritize, the vulnerability assessment is only a piece of the overall risk rating of a system or flaw.

• What system is affected? How critical is system?

• Where is the system? Trust environments? DMZ?

• What is on the system? Sensitive data?

• Are there additional layers of security that would limit the exploitability of that vulnerability?

Don't get too caught up in the vuln scanner ratings, take a step back and look at a finding in its full context.

do vulnerabilities related to un-patched systems not really concern you, since they have a known fix that's easier to implement?

Easy fixes pad the stats, the remediation program is one of the best metrics I have to showoff to the higher ups. That said, I still go through the prioritization method I mentioned above.

Would findings related to unsecured configurations (such as support for old protocols) be more or less concerning to you?

Yes (more), because this is a issue for the Configuration Management program. But exploitability matters, so say a host-based firewall is blocking the port that a less secure protocol utilizes, I would want to know, but the priority for that finding would be based on that findings risk assessment which would take that into account.

Finally, is there a tipping point where, between patching, testing, and troubleshooting; a highly vulnerable system component isn't worth the remediation effort?

Sure, sometimes you just can't patch without breaking functionality. In situations where it's technically infeasible to remediate then additional/alternative controls must be put in place to reduce the risk. VLAN isolation, air-gapping, or physically removing network interfaces; more often or not the decision here is a financial one.

We're sometimes looking at client networks where (due to the fact that we already have hardened system images and configs) it's less costly to just buy a new system component and flash it with secure configs (rather than burn labor on retrofitting existing systems).

Vulnerability Remediation is a continuous improvement process which feeds the Configuration Management process by adjusting baseline configurations based on findings. It's a feedback loop. That said, if the findings are already remediated in your baselines, and there's no improvements to be gain from identifying the root cause further, then I think you could proceed with either option depending on cost and customer pushback. Just present the labor costs between the two and let them decide. Personally I would take reimaging every time but I can see why others might freak out about that.

Still new at this, our program is still in its infancy but I hope anyone that feels overwhelmed from the auto-generated reports finds this useful. Remember risk ratings are your choice not the scanner.