Update time!
So, remember the vulnerability filtering feature introduced in WPT 6.3? We've already redesigned it, replacing CVSS with our own internal Risk Rank that's calculated based on CVSS, EPSS, Patchstack Patch Priority and some other markers. Our risk rank does a much better job at reflecting the actual severity of vulnerabilities. CVSS is a good thing, but it's difficult to understand for non-tech users and, without going into details, it's not always accurately reflecting the actual severity of WordPress-specific vulnerabilities.
Anyway, vulnerability filtering will be switched from CVSS to risk rank in the next WPT release, and we plan to enable this filtering by default, meaning that all vulnerabilities with "low" risk rank will be hidden and ignored by default. We've checked and confirmed that all these "annoying low-score, won't be fixed" WordPress core vulnerabilities reported by Wordfence will be filtered out when using our new risk rank, so unless end-users explicitly disable the filtering, it should be smooth sailing with no distractions from that moment on.
This solution gives a better out-of-the-box experience (no more warnings that your WordPress is vulnerable on a fresh install), doesn't annoy users, retains the value of Wordfence database where it's actually needed (there are some genuine vulnerabilities only present in the Wordfence database at the moment), and leaves the control in the hands of users.
When this change will go live? I don't have an exact date (it depends on a certain other thing), but quite possibly sometime around next week...