Surely the idea that a software vendor can become a CNA, and effectively block anyone else from assigning CVEs to their products, is... not great? There's an obvious conflict of interest if (for example) Adobe is the only outfit which can issue CVEs for Adobe software, and they choose to downplay security issues.