They're a conflation of multiple lifecycle states: reported, confirmed, disclosed, patch available, and exploit available.

Perhaps the simplest way to reduce noise is to have 2 numbering systems: provisional "prepress" PCVE and confirmed CVE.