So what do you propose is the alternative? Not tell you about the vulnerability at all until a patch is released? Publish all the details about the vulnerability before a patch is available?
"be prepared to update affected systems at $point_in_time" seems actionable to me. You for some reason thinking that such a warning doesn't warrant taking the recommended action doesn't mean it isn't actionable, it means you choose to ignore it.
An update is nothing special that I have to be prepared for. I do it all the time across all my systems, and it's largely automated. If a single update is such a burden that you must prepare days in advance for then perhaps there's room to improve the processes.
ok, so the actionable thing is "make a note to check for and run updates on Nov 1, even though it might a public holiday for you" and you're done. actionable != lots of effort, but I still appreciate a warning if I'm supposed to work on a holiday.
And yes, plenty places are not at the point where this is a "press button and done" activity, even if it should be. (e.g. pretty much everyone who is buying any kind of "appliance" and isn't just running open-source stuff now knows to go check with vendors)
"I'm good at DevOps and everyone else should be too", feels tangential, and isn't going to help you when your banking session gets compromised because your bank wasn't prepared to roll this out through any expedited process versus their regulatory compliant, slow process.
(As an example/thought experiment. I make no claims about the vulnerability at hand.)
I spent a few minutes checking my cmdb for openssl3, and have allocated 30 minutes on Tuesday to upgrade the few machines that have openssl3.
When corporate infosec starts to panic, probably about Thursday based on the jndi issue, I'll be able to point them to our log which shows how it was handled.