Found the discrepancies when viewing Severity ratings within the Compliance Report drill downs and how they compare to data detailed in the Patch Remediation Center listings and in reference to the Microsoft TechNet site.
Example reviewed:
Patch Management Compliance Reports return on the overall Bulletin's Severity rating and not individual Software Updates.
As in the Example above:
Advisory: the Compliance Reports will only display updates which are vulnerable to the environment, so if an environment’s Compliance Report displayed vulnerable to a 'Moderate' Severity rated update, yet the Bulletin of that update is rated as 'Critical' Severity from Microsoft, then the environment could be susceptible to a Critical threat if that Update is not deployed. This is why the product was developed in this manner to overtarget based on the Bulletin Severity rating.
An Enhancement Request is currently under review by Symantec Corp.
Workaround: To add behavior; implement the attached StoredProcedure/process to run a clone of the 'Windows Compliance by Update' report that will display Severity by individual Software Update.
Advisory: Each vendor has a separate Severity Rating. Please review the following links which define what Severity Rating is given by the individual Vendor: