@cmlara,
I think I can help you with the first concern on how it went and how it could be prevented in the future. I've reported the vulnerability to the DST around 4 months ago. After some discussion it became clear that it needs to be solved in public by the DST. So I've created a public issue for this and asked if a Security Advisory needed to be created for this. Where the DST answered with: "No security advisory is needed for public issues."
Since it was now public and the DST would not create a SA, I've asked MITRE if it was possible to assign a CVE-ID to this issue. In this case MITRE answered with: "The Drupal security team is
allowed to assign a CVE ID even if the issue can be solved in public. We cannot take any further action at MITRE unless you establish that
the Drupal security team will not assign a CVE ID."
So I've went back to the DST and I've asked if a CVE-ID could be created for this issue. Where the answer was: "Sorry, we are not issuing CVEs for issues which are allowed to be fixed publicly and does not have security advisories."
So I think your first concern is answered that this was published by MITRE as the CNA Last Resort (CNA-LR) due to refusal by an approved CNA to publish a valid security concern.
I hope this helps
Note: The issue was reported privately to the Drupal security team, but it was decided that it can be solved in public.