Although analyzing complex systems could be a complicated process, current approaches to quantify system security or vulnerability usually consider the whole system as a single component. In this paper, we propose a new compositional method to evaluate the vulnerability measure of complex systems. By the word composition we mean that the vulnerability measure of a complex system can be computed using pre-calculated vulnerability measures of its components. We define compatible systems to demonstrate which components could combine. Moreover, choice, sequential, parallel and synchronized parallel composition methods are defined and the measurement of the vulnerability in each case is presented. Our method uses a state machine to model the system. The model considers unauthorized states and attacker capabilities. Furthermore, both the probability of attack and delay time to reach the target state are used to quantify vulnerability. The proposed approach would be useful to analyze complex systems which may have complicated models. This approach reduces the state space and complexity of computation. On the other hand, if a component is replaced by another one, the vulnerability measures of other components do not change. Thus, these quantities are reused in new computation. Therefore, the calculation of the vulnerability measure for a new system is simplified.