Unfortunately, CVSS scores are gamified hard. Companies pay more money in bug bounty programs, so there's an incentive for bug bounty hunters to talk up the impact of their discovery. Especially the CVSS v3 calculation can produce some unexpected super high or super low scores.

While scores are a good way to bring this stuff to people's attention, I wouldn't use them to enforce business processes. There's a good chance your code isn't even affected by this CVE even if your security scanners all go full red alert on this bug.

It’s possible to create a scoring system based on actual root cause analysis and impact scores.

Surprised there isn’t more talk about a solution like this or something and more downplaying CVSS.

Downplaying CVSS alone can smell a little like PR talk even however unintentional.

A CVSS score of 10.0 may be warranted in this case, but so many other CVSS scores are wildly inflated, that the scores don't mean a lot.

Regardless it can still provide some context and adjustment cs none.

The above could be seen as spin too, how could cvss be more accurate so you’d feel better?