A lot of effort goes into classifying each vulnerability; Business impact requires undertanding of the organization and communication with clients
A lot of standards do not use it. For example, PCI-DSS uses CVSS
Informal methods measure business impact and factors in the consultant's understanding of the business and expertise. But, consultancies might find it difficult to justify the ratings to clients; Very opinionated
CVSS does not take into account the importance of a given asset. It’s entirely possible that a medium vulnerability on a mission critical server should be remediated before a critical vulnerability on the guest check-in kiosk in the lobby of your corporate headquarters.