I disagree. Surely the newsworthiness of vulnerability writeup is a mix of the relevance and article quality.
You could submit a vulnerability report about an internal tool no HN user could ever be affected by and people could find it really interesting, and you could submit an article about a vulnerability that’s really bad and only people that really care about the affected project would be interested.
Edit: removed some irrelevant stuff because I misread the comment