There are ISec companies that maintain this kind of lists as part of their main business. They test against penetration tools and review against all CVEs. I worked in such a company, but unfortunately, I don't remember specific patterns and couldn't disclose any if I did. I know I'm not being extremely useful. In any case, I think it is important to clearly state that companies with critical security requirements should probably not rely solely on this.