There's plenty of people in that position, but they're all working at huge corporations. Nobody ends up having to chase things like SOC2 and PCI-DSS without getting paid for it.
Why should unpaid volunteers working on the Linux kernel do compliance work for FAANG-sized companies without getting paid for it? If these companies want the reports carefully triaged, they can send some employees to carefully triage them.
And these standards do not say "patch every time there is a CVE, even if you are not vulnerable". For example PCI-DSS says "New security vulnerabilities are identified using
industry-recognized sources for security vulnerability information, including alerts from
international and national computer emergency response teams (CERTs)", it doesn't specifically even mention CVE.
A vulnerability / bug in an upstream component may or may not end up being a vulnerability in a complex system incorporating that component. A vulnerability in upstream functionality that is disabled (or not used, with no possible path through which an attacker could trigger the upstream vulnerability) in a particular system is not a vulnerability in that system. Standards like ISO27001, SOC2, and PCI-DSS generally ask teams to have processes to discover vulnerabilities, but not necessarily to patch things that are not vulnerabilities in practice.