Fighting Blind: Why Vulnerability Management Demands More Than Scan-and-Patch