It does not require consensus. It does not require to be immutable. It’s simply advisory data. There is no gain if one owner decides to censor or tamper with their stored CVE data, apart from annoyance for its users.

You’ll be quite fine with a centralised database and mirrors. We have been fine with that until now.

All that we need is data to be freely available, shared and possibly that other institutions offer to catalogue software vulnerabilities to have some kind of redundancy and duplication.

Almost none of what you've said is correct regarding the use and purpose of the CVE database.