I really don’t understand how things that require a significant amount of user interaction (click on link, follow instructions) are rated at above 9. We see potentially wormable vulnerabilities rated at less than this.

While social engineering is obviously a significant component towards breaches, an attacker could just as easily trick a user into giving up their credentials in a phone call while pretending to be helpdesk etc