It's not tragedy of the commons for the simple reason that it is the creators of the project that're issuing the CVEs. If anything, it was the prior situation that was the real tragedy of the commons- the freeloaders were not contributing resources back to the Linux developers for security assessment.
Now everyone gets to do their own, which they should have been doing in the first place.
But is the system really working usefully in this case? It seems like the intended purpose of CVEs is to actually identify serious (and less serious) exploits, which requires that someone, somewhere do quite a lot of work figuring that out and keeping track of things. But the kernel maintainers didn't sign up for that, so they basically shut things down via malicious compliance--not that I blame them, since nobody is stepping up to do the work and the maintainers already have a job, thank you.
So the tragedy of the commons is that security organizations ended up relying on CVEs as a security standard, without really thinking through who was going to do the dirty work of keeping that system going as it expanded.
<quote>
There’s just one problem – each security vendor has its own database with little to no crossover. Each vendor’s tool generates its own alert for detected vulnerabilities, and these alerts must be manually cross-referenced between the tools to determine if they are separate issues or multiple alerts for the same issue.
</quote>
Some people wanted CVEs as identifiers. Some wanted the CVE most to be dense with actual security bugs (that justified backports, upgrades etc). Some wanted to issue many, often with nice names.
Now everyone gets to do their own, which they should have been doing in the first place.