[throwaway_391]

CVSS is an insane rating system made for a simpler time by antiquated practices which doesn't account for many factors either well if at all.

Hover your mouse over each button https://www.first.org/cvss/calculator/3.0 . There's Attack complexity 'low' and 'high', for instance. You're either a script kiddie or have a two billion dollar exploitation budget and all the human resources you need, but nothing in between.

[wademealing]

I will wear my vendor hat here for a moment,

AC not about the attacker, but the configuration of the component being assessed.

[throwaway_391]

It's both:

"A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may require the attacker: to perform target-specific reconnaissance; to prepare the target environment to improve exploit reliability; or to inject herself into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g. a man in the middle attack)."

But you could also argue 'Attack complexity' of any exploit which has per-os/arch exploits requires reconnaissance. There, I just boxed MS08-67 (which is arch-specific, iirc) as 'Attack Complexity: High' with pretty much any theoretical crypto attack which would cost billions to exploit :)

Lets not forget CVSS doesn't assess likelihood or business impact well (or at all) either. Your org is far more likely to get rekt if you do not enforce application whitelisting, compared to an intranet-exposed drupalgeddon vulnerability.