CISA’s new 2026 vulnerability guidance shows why small businesses should take software updates, exposed systems, and patch management more seriously.