There have been more CVEs for the last 5 or so years. The reason is that "number of CVEs" is used in InfoSec community as kind of performance metric, so the "researchers" are incentivized to report total non-sense as security vulnerabilities. Second reason is that the whole "InfoSec" thing is viewed as an career choice where there is shitload of money to be made, which caused many people with questionable skills and ethics to become "security researchers".
Autogenerated security audits that flag totally irellevant CVEs are another symptom of the same problem. Such scans usually only compare the version of the package in question, which breaks badly when distributions backport security patches and leads to complete irrelevant results when the "vulnerability" in question pertain to configuration that is not used (good example of that are CVEs for the mail-proxy component of nginx, which I assume most people do not even know exists, yet alone deploy). In the end the main effect is that if there was some real security issue, it would get buried deep in all that pointless busy-work that InfoSec comunity generates for everybody else.
I'd imagine a bit of both. More people looking for issues because of it, and then also because of something so high profile people are more likely to pay attention and upvote because they've seen more recently.