As an active consumer of CVEs: yea there are major problems. No there's nothing better and no I don't have any better ideas.
The scores are mostly useless, I would not care if they disappeared, I do not look at them. I don't really understand why people get so upset about garbage scores though. If a high CVSS score creates a bunch of work for you then your vuln mag process is broken IMO. (Or alternatively, you are in the business of compliance rather than security. If you don't like working in compliance, CVSS scores aren't the root cause of your misery).
Having a central list of "here's a bunch of things with stable IDs that you might or might not care about" is very valuable.
Yeah, most businesses need window cleaners too. If you're a window cleaner and you complain about all the birds shitting on windows, I dunno what to tell ya.
If you're working in compliance either
A) you're stuck in your compliance job, that sucks, CVSS scores aren't the reason why though.
Often it is a second order impact. This creates a bunch of work for the compliance people, but then the compliance people end up competing a bunch of work for everyone else. If you count anyone who might have to follow compliance as working in compliance, then I purpose that there isn't enough non-compliance jobs to go around.
a) If you are having to do busywork for compliance reasons, you are either disempowered to push back on bullshit work (case A above, unfortunate, but your job was gonna suck anyway), or it's not really a second order effect, you work in compliance in a meaningful way.
b) Compliance bullshit seems to expand into the space available to it. Nobody thinks CVSS scores are meaningful, the fact that they feed into compliance processes is not the CVSS scores' fault it's the compliance machine just globbing onto random bullshit as its expansion continues. If you took away CVSS scores it feels like it would just glob onto something else instead.
Anyway, in the end I think we aren't disagreeing about that much. I think they're silly, if someone wanted to get rid of them I wouldn't try to defend them at all. I just wouldn'e be the person to push for that.
The scores are mostly useless, I would not care if they disappeared, I do not look at them. I don't really understand why people get so upset about garbage scores though. If a high CVSS score creates a bunch of work for you then your vuln mag process is broken IMO. (Or alternatively, you are in the business of compliance rather than security. If you don't like working in compliance, CVSS scores aren't the root cause of your misery).
Having a central list of "here's a bunch of things with stable IDs that you might or might not care about" is very valuable.