I recently read an post by the main curl developer about his troubles with a bogus CVE which was categorized as critical. The CRA's requires disclosing all vulnerabilities within 24h to a government agency. If your product uses any number of well known open source packages, there will always be new CVEs, most of which will probably not affect the security of the end product. I can't even imaging the burden it will place on companies, to have to justify whether or not each new "vulnerability" is or not relevant in front of a government body.
I suspect many will opt to use lesser known, proprietary components which are probably less secure but have less vulnerabilities reported.