Your remediation plan should always be based on risk vs. reward in your environment. This is a function of Risk Management. The level of the vulnerability does not define the level of risk. For a vulnerability to become risk, you must also have a threat present. Therefore, a level 5 vulnerability with no threat can be categorized as a low risk vulnerability, but a level 3 vulnerability with a high threat should be categorized as a high risk vulnerability.
Basically, though, all vulnerabilities found should be dealt with eventually. You first work through the ones with the highest risk associated with them. You should then work into the medium risk ones. Lastly, you should deal with the low risk ones.
With that in mind, it is not always necessary that you remove the vulnerability completely. You may decide that the risk posed is acceptable. Its a risk and reward balancing act...with compensating controls or removal as viable options.
Hope that helps...
eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+