Cybersecurity researchers discover dozens of new vulnerabilities every day. There were 17,980 vulnerabilities published on just NVD in 2019. This means that, on average, 50 new vulnerabilities are published daily. In this kind of environment, it is too risky to rely on periodic vulnerability scans.
Vulnerability scanners can only scan assets that they can reach. If a host in your network is not accessible to vulnerability scanners, its vulnerabilities can stay hidden until targeted by an attack. Or, if a vulnerable asset doesn’t have a remote listening service (like a web browser), vulnerability scanners cannot find its vulnerabilities with an unauthenticated scanning.
Even if your vulnerability scanner reaches your vulnerable assets and detects their vulnerabilities successfully, there will be a big delay between the publishing of vulnerabilities and you being notified. First, vulnerability scanner companies need some time to update their tools’ vulnerability databases. Then, you need to update your vulnerability scanner’s database. In addition to these time losses, and since vulnerability scanning is done periodically (usually weekly or monthly), attackers have plenty of time to exploit “new” vulnerabilities.