A method to assess 'forgivable' vs 'unforgivable' vulnerabilities