I was going to give the example of the Carnival cruise ship that sank in the 2010s (I think) largely due to the captain’s incompetence[…]
That’s Costa Concordia. It received extra media attention and is mostly known due to the awful behavior of the captain who first directly caused the accident and then fled the ship before most of his passengers.
My main issue with CVEs nowadays is that it seems one gets generated even when 99% of the use cases for the software in question are not vulnerable as the vulnerability requires a very specific configuration/circumstances/etc. to be exploitable. In large projects with lots of dependencies this adds a lot of noice and there’s a risk that actual important CVEs go unnoticed.