On the ReDos aspect, I find the current CVSS rating system lacking. Availability is important, but following secure coding principles (fail closed) I'd much rather my system go down than have integrity/confidentiality compromised.

It's frustrating that a potential availability issue often gets the same (high) rating as a integrity/confidentiality issue