The bogus CVE problem

Some of the problems with CVE's is the scale of the software available now and how much is used in odd places all over the place. CVE's were designed and written around the idea that the amount of software was in the hundred's of thousands and you only had a couple million systems to alert and protect.

Some of the problems with CVE's is that the system was designed to replace at least 2 other systems which fell apart in the late 1990's where most software was closed source and unless you could prove undeniably that there was a true vulnerability (and could not be hand waived off with "you didn't do exactly what we said in this manual on Alpha Centauri protected by a cyberraptor ") it wasn't looked and or fixed.

Some of the problems is that everyone has a tendency to make anything they run into a game they can 'win' at. And when they can't win, look for ways to avoid playing anymore. This goes for core programmers, security researchers, software companies, etc. These are known problems which aren't solvable because they are 'human condition' issues (and every solution just becomes a new game to win or lose at).

Most of the issues are that the above are known, but because they are all hard to get N people to agree to even trying a solution, you end up punting the problem to the next year and maybe just add another number to the amount of possible CVE's for a year.