> I'm always curious about the companies that require vendors to report all instances where patches to CVSS 9.x vulnerabilities are not applied to all endpoints within 24 hours.

That sounds like a nigh-impossible requirement, as you've written it.

I suspect the actual requirement is much more limited in scope.