This session presents analysis of data drawn from fifteen software security remediation projects. Data is presented both on the time required to remediate specific classes of vulnerabilities as well as the overall composition of remediation projects so that attendees can see what percentage of remediation projects is spent actually fixing vulnerabilities and what time is spent on other activities.