The issue is that understanding what is actually exploitable and what is actually a part of your threat model is difficult, it's a pretty high bar, a bar not met by most people that typically have decision making power around a product or service. It's a huge problem but it's not particularly easy to fix so it's pretty obvious why the industry has taken the route of deciding certifications and scans = security and that vulnerabilities only exist if they have a CVE assigned, and anything with a CVE assigned must be an actual problem.