There are also different kinds of vulnerabilities - Apple's recent problem with an open root account is only accessible if you have physical access to the machine, for example. It's extremely serious if exploited (if you get in as root, you can do literally anything), but in many environments, it's impossible to exploit. A Mac in a home-based photo studio isn't vulnerable at all, because nobody would be in there. On the other hand, it's a disastrous vulnerability in a university computer lab where hundreds of people have physical access.
The opposite extreme is represented by the recent spate of web pages that run cryptocurrency mining operations in the background. The consequences aren't all that severe - your computer uses a little extra electricity until you quit your browser, but it's a really easy vulnerability to exploit - any web ad can do it.