Question: Where to track exceptions that apply to multiple modules

Since exceptions are tracked separately in each module, I’m wondering where others log their exceptions that are applicable to all modules.

Example: I have a risk of unsupported operating system, I could log the exception in the risk module that I have applications that do not support the latest OS version, or I could track this at the security policy stating that we must patch and keep our systems up-to-date. I could also track this at the control level for either a patch management or vulnerability management control, and finally, I could also track this at the compliance item, specifically thinking ISO (managing technical vulnerabilities). Ideally, I would track all exceptions in one module and then have the ability to map the exception within each module back to the parent, but my methodology has been to look at the highest level and apply the exception there. In this case that would be at the policy level. What are you guys doing?

I would register this exemption in the policy module only.
As I see it is a policy (telling you keep things updated) the only thing you really are making an exemption of.
When doing asset risk management on the asset you find it vulnerably and will for sure make a control ensuring to update the asset.
And if possible relate all together with filters