imo they have to be pretty severe to justify being yanked. Vulnerabilities are not one-size-fits-all bad. For example, the regex vulnerability doesn't matter if I'm using it within my tests. Other vulnerabilities might be in a part of the crate I'm not using (I wish cargo audit could report only for whats in use). Let cargo audit and cargo deny deal with reporting vulnerabilities. Let's improve their integration into users workflows.
As was mentioned, the official docs and cargo new discourage committing Cargo.lock for libraries. So long as a semver-compatible upgrade is available, it at least shouldn't break people without a Cargo.lock. I do wonder if we should change this recommendation though to make life easier for git bisect and other workflows.