"Does not measure vulnerabilities introduced by the enhancing technology
Actually happened to Sun/Cobalt when they applied StackGuard poorly
"Counting vulnerabilities:
When l33t d00d reports “th1s proggie has zilli0ns of bugs” and supplies a patch, is that one vulnerability, or many?

"Dependence on exploits
Many vulnerabilities are revealed without exploits
Should the RV test lab create exploits?
Should the RV test lab fix broken exploits?
Probably yes
"Exploit success criteria
Depends on the test model
Defcon “capture the flag” would not  regard Slammer as a successful exploit because payload was not very malicious