How do you prioritize a large backlog of security findings?

Don't sort by severity alone. Combine exploitability, exposure (internet-facing? auth required?), blast radius / data sensitivity, and fix cost. Group by root cause to fix classes of bugs at once, tie SLAs to risk tiers, and feed recurring patterns back into secure defaults/guardrails so the backlog shrinks structurally rather than one ticket at a time.