For something given a cvss of 10, that is a ridiculous amount of time.. although hopefully they fixed it within a reasonable amount of time and just took forever to disclose it
I don't necessarily disagree with the rating of 10 here (I know anything about the actual impact of this vulnerability), but please note that CVSS really isn't a perfect system, and it is quite easy to reach ridiculously high CVSS scores with even minor vulnerabilities, if you are 'maybe a bit too literal' in its interpretation.
The official CVSS3.1 example score for a stored XSS is 9.0.