So, you either explain to the customer about how the CVE is out of scope in this context due to the various mitigations or lack of exploitability, or you patch it. Every CVE is real, and should be addressed. Your customers pay you to help them understand it.

That's fair, but it's not really the fault of MITRE / the CVE database, it's the fact that people have been incentivized to submit these. Similar conversations have come up around how NPM handles vulnerability reports, since they treat all vulnerabilities the same, including very low-risk ones like DoS risks that require control of your build pipeline.

The problem is compounded in cases like Log4j where not even the CVE score can be trusted, or in cases you're describing where end-users don't understand CVE itself and only know it in the context of these 'world-ending' vulnerabilities.