The Verizon DBIR has a lot to say about vulnerabilities. One of the more interesting topics is the large number of 2015 vulnerability exploits that were more than a year old. In a footnote the DBIR authors comment that “Those newly exploited CVEs, however, are mostly – and consistently – older than one year.” The data show that more than 90% of exploited vulnerabilities in 2015 were more than one-year-old and nearly 20% were published more than 10 years ago.
This data is consistent from year-to-year. In 2014, more than 95% of exploited CVEs were more than a year old. As you would expect, most of the remediated CVEs in 2015 were recent. It appears that over 70% of all closed CVEs in 2015 were no more than two years old and over 95% of all closed CVEs were within five years of their original publication.