Re: "We need to start with a shared understanding of risk"
Get the point you're making but hurricanes might be a more useful analogy than you acknowledge because the high category ones carry some extremely different risks depending on where you live, the elevation, proximity to coast, whether you're on the leading edge, construction & orientation of home, basement access & preparation, vulnerability to flooding or storm surge, likelihood of other extreme weather accompanying storm, evacuation routes and refuges, time of day, and so on. The risk overall is extremely localised and there are (in the US at least) highly detailed real-time maps for these things which still don't capture personal circumstances. A Cat 5 *is* something you *might* want to look at.
The single biggest difference vs Hurriances and such with computer vulnerabilities is that they face intelligent adversary. The CVSS (if evaluated accurately) mostly takes that out of the equation by focusing on what elevation of privilege is made possible rather than letting vendors off the hook because 'ah nobody will pull that off it's too complex or non-obvious'. That's a big win in my book. I'd hate to see the baby thrown out with the bath-water.
In the end if you're using a vulnerable product there's not much substitute for getting into the weeds of the problem and judging how it affects you, but the ratings do serve as a promotional headline for high-profile vulnerabilities and as a rap sheet for a product's historic vulnerabilities. (Again, if evaluated accurately - I've no idea how to solve that issue).
Biting the hand that feeds IT
