Why does a ‘Medium-Severity’ CVSS finding have a lower score impact then ‘Low-Severity’ CVSS findings?

Question

How can a 'Medium-Severity CVSS v3.0 Vulnerability Patching Cadence' finding have a lower score impact then a 'Low-Severity CVSS v3.0 Vulnerability Patching Cadence' even though the “Medium CVSS v3 severity” has more findings?

Answer

There are two parts to the scoring methodology for CVSS v3.0 findings that can cause a “Medium CVSS v3 severity”  finding to have a lower impact than a 'Low CVSS v3 severity' finding.

1. The issue type titles are based off the CVSS 3.0 rating, however we use our own priority breach likelihood method to determine scoring.  Currently all CVSS 3.0 findings have the same low breach likelihood.  See: All CVSS v3 Issue types have a Low Severity despite of their Criticality for details.
2. The second part of our scoring is the use of a z-score to determine the impact.   Since the 'Medium CVSS v3 severity' findings are more common than the 'Low CVSS v3 severity' findings, they have a lesser impact.  In the case of the above screenshots, the 'Medium CVSS v3 severity' findings for the scorecard have a lower deviation from the mean than the ''Low CVSS v3 severity'' findings.  Please also refer to the z-scoring details in our Scoring methodology whitepaper.
    
   The above scoring behavior applies to all issue types.