Globally agreed excepted for the "harmless" bit. Hackers are good these days, and these apparently innocuous bugs can be exploited in creative ways

I think one thing we'll see is that "sophisticated" multi-step exploit chains will become the domain of script kiddies. They often already were, malware vendors often pre-packaged software that exploited several vulnerabilities in a row, but I expect that LLMs will make the "Attack Complexity" metric in CVSS even more useless than it already is.