This way of thinking is how almost everyone approaches CVEs, but is also out of date now. There are millions of open source projects (tens of millions really). This attitude of treating security bugs as some sort of special snowflake isn't realistic
There are easily hundreds of thousands of security vulnerabilities fixed every year that get no IDs because the current process is rooted in security from 1999 (the number is probably way way higher, but you get the idea)
Rather than obsessing over individual vulnerability IDs, we should be building systems that treat this data as one of many inputs to determining risk
Accurately determining risk relies on decent starting data, otherwise you run the risk of Garbage-in, Garbage-out. Whilst things like VEX and EPSS can help, they are based on the starting point that is CVE assignment and CVSS score.
I don't particularly think that CVE+CVSS has been the "right" way to do things ever (definitely not in the last 10 years) but my thoughts don't really matter whilst regulators and governments apply special significance to them, which they do.
Security bugs are special if a regulator can deem you in non-compliance if you have too many of them.
This is of course leaving the whole area of attackers who actively try to exploit them to one side :).
There are easily hundreds of thousands of security vulnerabilities fixed every year that get no IDs because the current process is rooted in security from 1999 (the number is probably way way higher, but you get the idea)
Rather than obsessing over individual vulnerability IDs, we should be building systems that treat this data as one of many inputs to determining risk