You're drowning in CVEs and playing context tetris.
Is this finding actually exploitable, or just loud? Does engineering even know what an AI supply chain attack is? Do they care?

Meanwhile the work you actually want to do sits waiting: threat modeling, secure architecture, building a defense that holds. That's the [real work]. The problems only you can solve. And it keeps losing to whatever the queue throws at you next.

The Jira negotiations, the proof-of-concept gymnastics, the ticket that needs a comment, then a follow-up,1 then a meeting about the follow-up that's not security work. That's just friction with a security label slapped on it.