What is a cybersecurity professional going to do about a bunch of vulnerabilities in an app that someone else decided to deploy on a network they are responsible for?

99% of cybersecurity in the commercial sector is a box checking compliance exercise.