You can think of it as a "fail-safe" situation.

Being cautious here means "it's better to assign a CVE when it's not a vulnerability, than to NOT assign a CVE when it's actually a vulnerability"