But that's an issue organizations bring upon themselves, by defining semi-arbitrary KPIs that are used without proper interpretation. It's not directly caused by CVEs or assigned scores. It's like blaming git that it count lines in diffs, because your company created a KPI that measures developer's based on LOC changes.