I’ve recently been working on something very similar, and like you I’m debating the attributes and criteria that elevate one product or publisher above another. One area specifically, that I have been putting a lot of focus into is the idea that for a given publisher, say Microsoft, only a certain percentage of my overall licensing position is made up of high value/ high risk/ high cost products. The SQL Enterprise, Windows Server DC, M365’s of the world, command high dollars, and without focus can easily become huge compliance risks. From that perspective the handful of unlicensed Visio, InfoPath, or Project deployments one may find (or not) don’t pose nearly as large of a threat.
I’ve started asking my self, at what point, with the resources and tooling available to me, is enough, enough? Do we work to establish compliance for ALL things Microsoft? Or just the high risk, high reward products like SQL and Windows Server DC? Essentially taking your idea above and tweaking it, instead of ranking publishers as Tier 1, 2, and so on… rank the products you own/ consume as Tier 1, or 2. At a certain point the value add of finally nailing down a compliance position for InfoPath 2013, really isn’t all that valuable, yet many organizations find themselves chasing that last 10% of the estate when 100% of your risk and ‘value add’ lives in the other 90%.