Most security programs still behave as if the core job is to find vulnerabilities, rank them, and hope the important ones stand out on their own.
That is no longer enough, because impact does not emerge from labels. It emerges from paths.
A weakness matters because it changes what becomes reachable. The real question is not just whether a flaw exists. It is what capability it creates, what it composes with, and what route it opens toward a meaningful outcome.
Take a file-path control issue. In a findings-first frame, it may look like constrained file access. In a paths-first frame, it may expose configuration, service credentials, or deployment secrets that move the route into a more privileged sphere.
Apache HTTP Server CVE-2021-41773 and CVE-2021-42013 made that visible in public: path traversal and disclosure were not the end of the story, because the same route could become remote code execution when the surrounding CGI surface was enabled.
That is the difference between counting a bug and understanding leverage: the label describes the issue, but the route describes the consequence.
This is why the shift underway is not just better vulnerability discovery. It is exploit-path construction and validation: identify capabilities, build candidate routes, test them quickly, and keep what survives reality.
Bug finding still matters. It just stops being the best standalone unit for understanding impact.
The teams that adapt first will be the teams that externalize the middle layer: primitives, constraints, transitions, candidate paths, and validation loops.
If you still think the core security problem is counting findings, you are looking at the wrong level.