Interesting how DoS ranks higher than code exposure in severity.

I personally think it's the other way around, since code exposure increases the odds that a security breach happens, while DoS does not increase chances of exposure, but affects reliability.

Obviously we are simplifying a multidimensional severity to one dimension, but I personally think that breaches are more important than reliability. I'd rather have my app go down than be breached.

And I don't think it's a trivial difference, if you'd rather have a breach than downtime, you will have a breach.