Can't say that I agree at all
The point of the scoring system is to draw attention to the bloody obvious. In general it works for reasons already stated in the comments. Because it is simple enough to understand.If your organization actually takes risk management seriously, it has in-house staff to do the the scoring in the context of how it affects the organization. Risk and threat modeling is not something I would expect someone outside my organization to understand as far as it applies to my organization because they lack the information to do so. I would not expect any agency or a third party organization to do a valid scoring for my organization as a general rule (auditing etc not included). They can't and even if they could it would not scale to try and keep such a vast library up to date. The simplicity scales.
Biting the hand that feeds IT
