This article (click Read More below) clearly shows the confusion people have with VEX.
This article shows that people are conflating and confusing VEX with "Security Advisories".
A Security Advisory tells people which products ARE AFFECTED by a new vulnerability.
A VEX tells people which products ARE NOT AFFECTED by a new vulnerability. It's a "negative Security Advisory"
A VEX and a "Security Advisory" are the yin-yang view of a newly published vulnerability/CVE.
Just to be clear, this description of VEX is not my opinion, this is how the author of CSAF and VEX, Thomas Schmidt, describes VEX in this video clip.
The people responsible for sowing this confusion don't seem to be interested in seeing this matter resolved. This is unfortunate because it is impacting SBOM adoption, IMO