Risk scoring combines CVSS with context: asset criticality (business importance), exposure (internet-facing?), exploit availability (CISA KEV?), and compensating controls — producing a business-contextualized priority.
CVSS measures technical severity. Risk score measures business risk. A CVSS 10 on an isolated dev server < CVSS 7 on the public payment portal. VPR (Vulnerability Priority Rating) from Tenable incorporates threat intelligence into scoring.