The most worrying part here is not even whether this specific issue deserved a CVE. It is the incentive structure.