I used these metrics 15 years ago and I don't think there is a better way understand how well you are performing vulnerability patching. I also used additional metrics like frequency of vulnerability checking for assets, as we did not have an automatic way to do it and it was relevant to the environment. I also used these metrics to influence Dev teams, as I compared their performance when fixing vulns which eventually got their attention.... This approach works, folks. Use it.