Bit arbitrary
Not sure why they're bothering - there be analytics out there that do this already, Precision Genie is one that springs to mind (and that looks like it has more objective scoring than the 'boffins' stuff!)...
If you're in charge of a couple of thousand boxen, you can't patch every vulnerability report at once, so sysadmins will welcome help sorting out their priorities. That's what a couple of researchers hope to offer in what they call NCVS, the Non-Intrusive and Context-Based Vulnerability Scoring framework: making sense of the …