I was asked by a student how OWASP Top 10 are ranked, based on which indicators: is it severity? ease of exploit? ease of implementing their countermeasures? ... Knowing that each of these vulnerabilities is either severe or not based on the mise usecase possible.

Furthermore, I would be interested in more Top 10 different than the ones of OWASP and different than Web vulnerabilities.

Please I would appreciate answers based on references.