Because in many cases the CVE vulnerability report is used as a proxy for existance of a vulnerability by many: from clickbait journalism, to automated tool vendors and device procurement. It is, after all, published by a reputable source.

Then, you get a report, say, that calling X with malicious data causes reboot. DoS! But software vendor looks at it and sees that in order to call X you need so much permissions, you can do reboot directly. What now?

Also, not every report submitted to be published as CVE goes immedeately public. Where does it go? If there is CVE about RCE in popular software, who knew about it before it went public?