A ‘best practice’ is to prioritize your cyber security time and efforts, such as prioritizing issues that may arise. There are many ways of categorizing vulnerabilities such as by Critical, High, Medium, et cetera and the Common Vulnerability Scoring System [CVSS] rating numbers.
In order for something to be an exploit in Your environment/company/field, you would have to verify if you have an active threat targeting a vulnerability in Your environment, then calculate the risk.
Example: If there is a Threat of being able to steal credit card numbers from an older WordPress website, and your company uses a WordPress website (<- Vulnerability) but you have a newer updated patched version of WordPress, so there is no Risk, so you are not Exploitable to this threat.
A Threat is what can actually exploit a vulnerability in your environment. A Vulnerability is the actual weakness that is currently present in your environment as an entry point for malicious attackers. The Risk would be the calculation of the level of damage or interruption this threat would cause your environment if exploited. An Exploit would be an active threat to a current high risk vulnerability.