Re: Pay more, get less
This has been standard practice for decades.
Back in the old Technet CD days, when there were only 10s of thousands of reported issues, you go to see them and there was a report on whether the issue was being addressed or not.
Some bugs have littlle or no security impact. For example an escalation bug that can only be used when sitting at a machine and using a very complex set of criteria would affect practically nobody, but require, say, a few hundred man hours to fix. That isn't something that they will want to fix, as long as no other method is found to escalate the bug to a higher priority. If somebody has physical access to the machine, they probably don't need the exploit anyway. This would then be looked at, as to whether it will be fixed in a future version, because it isn't urgent and there are better things to spend time on, for example, remote execution and drive-by exploits that are serious and likely to be actively exploited.
If MS had an infinite number of developers and infinite money, they could fix every bug. But with finite resources, you need to use the resources where it matters most.
They are just setting out the parameters they use to determine which problems are important enough to fix immediatly, in the near term, in the long term or never so that researchers can understand how the reporting system works - and whether they are likely to get a bug bounty for their work.