Remember, you can't protect what you don't know and that's the main reason why the top two CIS controls have remained the same. Here is an interesting thought from Jeremiah Grossman on Penetration testing / Vulnerability Assessment.

Many ORGs prioritize vuln assessments / pen-tests towards their most ‘critical’ assets. While a seemingly sensible approach, breach data shows it’s very often the obscure or unknown assets that get compromised first — and the adversary pivots. It’s their easiest path to victory.