Is there any predefined, globally accepted methodology, framework or standard specifically on calculating Business Impact of technical (Network, Web, Mobile..) vulnerability issues?
Scoring and calculating the impacts are key concerns I am researching.
It really has to be done on a business-by-business basis, but it usually boils down to quantifying the impact based on the amount of money that the risk event could cause in terms of lost revenue, the amount of damage that would occur to the businesses brand and status in the industry, and/or the legal fallout (and especially if that legal fallout could include criminal).
You might find what you are looking for from the Open Group: http://www.opengroup.org/
or the Risk Management Institute: https://www.theirm.org/media/886059/ARMS_2002_IRM.pdf
There are some framework which evaluates the business impact of technical vulnerabilities but in the end it all comes down to question
How much this specific vulnerability affect my business and to what extend?
For example for some websites xss vulnerability may not be considered as critical because it didn't put a lot of risk for their business goal or for their potential clients but for some websites it may cause them losing their client , hurting their business goal.
So before blindly accepting any standard evaluate your business goals and impact of any technical bug on your business based on your business goals and then categorized vulnerabilities accordingly
