As part of compliance, older systems must be secured first.

Because the most recently added systems to the network are likely to be the most vulnerable.

New applications have not yet been added to the threat model, hence they are not critical.

To manage the limited resources efficiently by prioritizing the assets that would cause the most significant impact if compromised.

To ensure all security measures are applied evenly across every system.