I'm looking at the CVSS v4.0 specification - does anyone have a sound definition of what is a vulnerable system (VC, VI, VA)? Perhaps @kpwn?

I don't understand why, in the VMware Workstation example, the vulnerable system is the guest and the subsequent system is the host - and why, in a web service vulnerability, the underlying OS is usually part of the vulnerable system?