In my personal experience as someone who has spent the last 6 years of his career in the security industry, almost nobody actually uses CVSS the way it is intended, they just almost arbitrarily tweak the CVSS inputs to produce an output they like.

You are correct that the attack complexity probably shouldn't be high in this case. But presumably the person calculating the CVSS score thought it was too high if attack complexity wasn't set to high.

CVSS has other issues, like people trying to apply it to things that are not vulnerabilities. I would ignore most CVSS scores you see and just read what the issue is instead and make your own judgement call.