
It's not that simple though is it
There is value in a simple message. Your out of date software scores a CVSS of 10 therefore "critical" therefore you must fix it.
That's a nice simple message to give to non-technical decision makers.
The nuance around the 'risk' presented from that vulnerability is much harder to articulate. And that is probably best managed by whatever means is most appropriate for the organisation. That doesn't remove the value of the simple scoring mechanism it just puts an onus on security staff and accreditors to use that information properly