Let's take an example: protecting a car. There are countless possible attacks on the software that runs automobiles, but the most common attacker goal is to steal the car. That means you want to protect the paths to that goal, regardless of what they look like or whether they are even specific to software.
Sure, attackers can also exploit CVEs to DOS the entertainment system but who really cares if that happens?
Sure, attackers can also exploit CVEs to DOS the entertainment system but who really cares if that happens?