Should vulnerability assessments look at more than just external systems?

Yes, vulnerability assessments is more than just external systems.

When we talk about cyber security, it is important to take all of the organization’s technology and personnel into account.

These include internal and external hosts, network devices, commercial off-the-shelf applications, third party applications, vendors, telephones, applications, and even security devices, and the cleaning crew.