Update ratings descriptions in schema files for clarity on VEX usage

[fahedouch]

I am translating @stevespringett 's feedback on the CycloneDX VEX specification into the code.

Should ratings be normative inputs for prioritization in VEX consumers?

Yes, they should be. It is widely known that the NVD has historically overrated vulnerabilities (on purpose). So the ratings from the NVD and those from the manufactures are often different. CycloneDX can convey this information which can aid in prioritization.

fixes https://github.com/CycloneDX/specification/issues/719