The scores do fail though - they don’t encompass enough information. They can’t encompass enough information because something that is critical in one sense (e.g., and making shit up here, Java listening to the internet) might not be in another (e.g. Java running on specific scientific data in an airgapped environment). Security is always situation and risk-appetite dependent. No number can encompass all that.

Not really. After working with CentOS (RIP) for a half decade, that Firefox version was so out of date I was practically in diapers when it came out. Getting the latest version of Firefox was such a pain that my org didn’t bother even if it would have given us some niceties.

LTS and other “enterprise” distros don’t push the latest version precisely because of dependencies.