NO one who has spent any time thinking about this issue uses CVE scores as anything other than a rank order in evaluating bugs that came in overnight. I've never gone to management and said, "Boss, we have to get on this one--it's a CVE 7!" or 8 or 9 or 10. If a point upgrade of the associated libraries is not enough, you evaluate the vuln in the context of your business, and, depending on how much process is needed, present the case to manglement about the actual threats the business faces relative to the known vulnerabilities in the system.
And while I'm in a bad mood, why are people talking about vuln chaining? Maybe it's a civilian mindset that I miss, but you infiltrate the same way you build--one step at a time. This has always been the case. Again, I've never said, "Oh, it's just a privilege escalation bug", or "Oh, it's just a unauthorized access issue." Every vuln in your system is a stepping stone to the next (potentially currently unknown) bigger vuln.