Oh fun! At my employer the "security team" misunderstands that criticality score and takes it as a "vulnerability score". Everything scoring high is a security risk, everything scoring low is secure.
OMG :) OpenSSF will love that story! Straight into the documentation Hall of Fame.
They can check out the Securing Critical Projects working group, https://github.com/ossf/wg-securing-critical-projects