We do have tools in every step of the sdlc so we can find issues as early as possible. Anything that is exploitable and left unmatched is a compliance violation so we take it very seriously. That said, exploitability is very (expensive) hard to proof, so in practice we try to mitigate via upgrading instead of long pointless discussions about risk. The second thing this forces us, is to look at complexity and tech-debt in a new light.

Yes get chased up about it by security teams. Internal or external apps.

It's mandatory as part of the SDLC and support by appropriate tooling, unfixed higher level vulnerabilities are periodically tracked by middle-upper management

Tools in the pipelines detect and report on CVEs found.

We block high/critical by default and the rest are given a deadline to be resolved in agreement with security.