I suspect that CVE inflation has poisoned the minds of many developers.

A db driver may have an issue with unsanitized user input when run against SQLite, but you only use it with oracle and sanitize input anyway, but that shows up as a 9.1 critical deployment blocker for corporate employees.

Unexploitable CVEs with inflated ratings make using any open source software a pain in the butt at BigCo.