you said that you want a list of things one would do with such information (meaning the known security impact of bugs). one obvious thing one does with it is to prioritize them (meaning, backport/apply to one's own trees, be that a distro or something in-house). you said and now confirmed again that such prioritization is bogus. now you can either claim that this bogus premise has a non-bogus consequence (something i assume you wouldn't based on your seeming inclination to logical methods) or i'm left wondering, hence my question in the previous post (which in turn you can also interpret as 'why prioritization is bogus?' - if it isn't then neither is applying security fixes from which it follows that withholding what is known to be a security bug is wrong).
now speaking of prioritization and that 'arbitrary' security label: why is it arbitrary? are you suggesting that non-security bugs are labeled as security ones (false positive issue) or that not all security bugs are labeled as such (false negative issue)? the former has no impact on one's security (just a bit of 'useless' work) and the latter assumes your bogus closed world model. so what is it you wanted to say here again?