The logical next step is the two-dimensional risk rating approach
This is already well established; risks are assessed both on likelihood and consequence. So this could capture how vulnerable the issue makes a system (e.g. ease of exploit, local access required, etc.) as well as the severity or harm if exploited.
It's a reasonable criticism that 1-10 over-simplifies, but you don't want to over-complicate things, either; that way lies analysis paralysis.