It's a technical problem more than a moral problem. As you observe, it's helpful to have some kind of risk metric that captures the complexity of actual exposures in real systems. But with CVSS, there's so much context you need about why a vulnerability is scored as it is, you might as well just ditch the score and share the context; without the details about how the score was arrived at, your 8+ might just as well be my 1.0.