Accurately determining risk relies on decent starting data, otherwise you run the risk of Garbage-in, Garbage-out. Whilst things like VEX and EPSS can help, they are based on the starting point that is CVE assignment and CVSS score.
I don't particularly think that CVE+CVSS has been the "right" way to do things ever (definitely not in the last 10 years) but my thoughts don't really matter whilst regulators and governments apply special significance to them, which they do.
Security bugs are special if a regulator can deem you in non-compliance if you have too many of them.
This is of course leaving the whole area of attackers who actively try to exploit them to one side :).
I don't particularly think that CVE+CVSS has been the "right" way to do things ever (definitely not in the last 10 years) but my thoughts don't really matter whilst regulators and governments apply special significance to them, which they do.
Security bugs are special if a regulator can deem you in non-compliance if you have too many of them.
This is of course leaving the whole area of attackers who actively try to exploit them to one side :).