An important point to consider is that SLAs usually have a human component behind them. There is an "issue" that a human is waiting to be solved. When I think of Vulnerabilities, there is not a human behind the scenes waiting for this to be addressed so they can get on with whatever they are doing before the issue comes up. The second interesting thing is that humans are desensitized to urgency if they are overrun with stuff like SLAs. SLAs create a lot of unnecessary noise unless they are reserved for very select critical events.
If you think about it, there is zero difference between an RTD and an SLA if leaders don't take action. At the scale of VR, leaders must rely on RTD by reviewing their dashboards and determining how things are going. I think that MBWA is a very, very, very important job for leaders. I see many organizations try to have SN "manage" their employees' behavior through complex workflows, SLAs, and notifications.
Reserve the SLA for mission-critical events that involve humans.
Has my guidance changed on RTDs vs. SLAs? Nope. If anything, it is now leaning more towards RTD and having leaders review their dashboards and understand what is happening on the floor of their organizations.

Hello Chris, we are currently considering using SLAs instead of RTR because we want to exclude weekend days in the calculation. From our point the only way to use RTR and exclude weekend days is by customizing the script include for the RT calculation but we would like to avoid this solution. 

With SLA definitions we can select schedules where weekend days are excluded. Would you also consider SLAs to be the best way to implement this? 

I think the discussion may be mixing two different governance concepts that actually serve different purposes.

Remediation Target Rules (RTRs) on Vulnerable Items are essentially a vulnerability exposure aging mechanism - effectively a desired remediation timeframe or “due date” for a specific vulnerability exposure (VIT). In that sense, I fully agree they should primarily support leadership visibility, dashboarding, and overall risk posture governance.

SLAs on Remediation Tasks, however, measure something different entirely: the operational performance of the resolver teams handling the remediation effort itself. They are closer to traditional operational metrics such as:

- Time to Own (TTO)
- Time to Resolve (TTR)
- Remediation execution accountability

In other words, the SLA is not necessarily measuring the vulnerability exposure duration itself, but rather the agreed operational response and execution expectations for the remediation team, regardless of implementation dependencies, CAB windows, vendor delays, etc.

From that perspective, both models can coexist perfectly well because they track different dimensions of the process:

- RTRs - security exposure aging and governance
- SLAs - operational remediation execution and team accountability

I would also agree that excessive SLA notifications can create noise and desensitization. In practice, I would lean toward:

- lightweight/no notifications on RTDs,
- while reserving SLA-driven escalations for selected operational remediation workflows or critical exposures.

That separation actually aligns quite well with the modern USEM direction, where exposure tracking and remediation operations are increasingly treated as separate governance layers.