Yes, but which open source project publishes CPEs for their vulnerability information? :-) Plus, an important part of every security advisory is specifying which versions are affected by a particular vulnerability versus which contain the fix and are thus no longer affected.