How does CVEs map to OWASP top 10

Specifically,

A06:2021 - Vulnerable and Outdated Components

I could be wrong but won't all the CVEs map to this security risk, as all CVE occur due to some component being vulnerable?

Context:
I was tasked to map CVEs captured by WAF to OWASP top 10
At first I thought, okay seems like a easy job but after spending a few hours on this it feels like a totally stupid thing to map.. its dosen't make any sense to me.

Let …

cves cybersecurity owasp owasp top 10