What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy?

@bagder Anybody can request a CVE, not just upstream. It's less about project policy, if a real, medium-severity vulnerability doesn't have a CVE assigned, that basically just means nobody was bothered enough to request one.

@bagder We would need to refer to bugs as "the buffer overflow that's in src/foo/bar.c line 1067 in version 4.5.6, and line 1058 in version 4.5.7" again.

Arch Linux wouldn't care, but it would make the life of Debian maintainers more difficult.