Re: The logical next step is the two-dimensional risk rating approach
Please look closer. CVSS scoring is already multi-dimensional. It is essentially polynomial.
The problem is that end-user news articles only show the CVE numbers and final CVSS summary scores. Without including direct links to the CVE report and the CVSS calculator, the one-dimensional summary score tends to dominate the discussion. I've called for El Reg to improve on this, but more of us need to make a stink about it--instead of just shouting in the wind, like the profits of the boomer generation (yeah, that includes me).
I'm more than ready to see a CVSS version 4, 5, 6, etc. Evolution is inevitable. But, more of us need to demand better from the places where we discuss these things. Are you listening El Reg? We love you, but step up.