I haven't been actively monitoring for security vulnerabilities ever since I switched from system administration to software development a few decades back. These days, I just read news that talks about high profile vulnerabilities - I do see CVE a lot more than cert.
We used to look at cert: https://www.kb.cert.org/vuls/ I just did a quick search to confirm that it is still there.
What's the difference/relationship between the two?
The primary difference is that CVE was unexpectedly killed by the US Government yesterday and the program terminates today.
How is the failure to renew a contract "unexpected"?
Contracts have end dates. All parties on the contract know them.
I expect they didn’t see it not being renewed coming because the contract was renewed every time for the past 25 years.