security metrics from vulnerability assessments

Our corporate network is subject to 6 monthly vulnerability scans from a certified 3rd party to meet a variety of security standards certifications. Our directors would like to see the security team responsible to do some metrics for performance management purposes to demonstrate that lessons are being learned from the findings, root causes addressed, and the number of issues raised decline each time the scans/assessments are complete.

I wondered if anyone else does this degree of analysis and what metrics do you use, is it as simple as number of risks logged in the assessors report, or are they broken down by category, e.g. password related issues, patch related issues, configuration related issues etc. etc. I totally get the idea that in theory if the scans/assessments just find the same types of risk each audit, then the root causes probably aren't being addressed - its just realistically what metrics are you using to demonstrate each time things have improved, lessons learned etc.