(no title)

We have to do that anyway because a worst case assessment is almost never worst case or even close.

CVSS is just the wrong tool for the job anyway. It's like assessing individual car parts on dimensions like "steering" and "acceleration" when most parts have no direct relationship to the completed product's high level qualities. And then you construct "worst case" stories that go "well, in the event that you are not steering while accelerating sharply, a fault in this seat cover could make that whole thing worse and cause a fatal crash: CVSS 9.9!"