It is, but also worth keeping in mind that vulnerability triage is just an annoying, resource-intensive process. Putting aside the "named vulnerability" thing, the most common prompt for a triage process is "new vulnerability discovered in a dependency"; that will happen several times a week in most significant products. Almost all of those vulnerabilities are marginal, and even the ones that aren't are usually not exposed in a typical use of the dependency. It's just an annoying problem.

This is a large part of my job. If something pops in the news that mentions our tech/industry/posture (or I suspect it will get c-suite attention) I immediately do a write up just like that. Depending on the severity (or even media “buzz”) I will include screenshots of my investigation and CC the relevant architects/managers. Still, that sometimes leads to managers wanting a meeting to discuss the email further but it GREATLY reduces panic emails when something crosses their newsfeed. On this topic - I also run our vulnerability management program and have to stress that CVSS score is not the lone factor on how much we care. I get lots of emails from people in the company saying “hey, did you see this”? for some random no impact vulnerability but am MORE than happy to thank them for the vigilance and explain why it’s not an impact because I want them to care.