I noticed the following in a Qualys press release cited by SC Magazine:
"'The Laws of Vulnerabilities research gives security managers and executives clear, statistical information that helps them make better informed decisions,' said Howard A. Schmidt, former cyber security advisor to the President.
'With automated attacks creating 85 percent of their damage within the first fifteen days, it is even more critical that organizations act quickly to identify and remediate threats.'" (emphasis added)
Mr. Schmidt is not using the term threat properly here. "Organizations" cannot remediate "threats". The definition of remediate is "set straight or right; 'remedy these deficiencies'". The word "deficiencies" in the sample usage is a direct reference to vulnerabilities.
The only way to remediate a threat would be to capture and/or incapacitate the party exploiting an asset. Assuming we can accept this stretch of the term, only law enforcement or the military could act against threats in this manner. Hence, (civilian) organizations don't "remediate threats."