Earlier this month the OpenSSL team pre-announced a "critical" fix, gave everyone a week's notice, and watched the industry collectively brace for another Heartbleed. I spent a chunk of that week inventorying which of my boxes were even on OpenSSL 3.x, because the bug only affected the newer line. Then 3.0.7 actually landed, the severity was quietly downgraded to high, and the punycode buffer overflows turned out to need a fairly specific set of stars to align.
I am not complaining about the caution. A week of warning is a kind gesture to the people who have to patch. But it does reinforce something I keep relearning: the vulnerabilities that get you are almost never the ones with a name, a logo and a countdown. Those get patched in a hurry by everyone at once, precisely because they are loud.
The ones that actually ruin a quarter are the boring CVEs in some dependency three layers down that nobody is tracking, the unauthenticated endpoint someone left exposed, the credential in a config file. No website. No mascot. Just a slow, quiet compromise that nobody noticed until the logs got interesting.
So patch the famous one, yes. Then go and read your own attack surface, because that is where the unbranded trouble lives.