My favorite aspect of CVE remediation hell is when you get a vulnerability notification and the suggested action is "none" because it hasn't been patched.

My favorite aspect of software dependency hell is when you bump a library version and everything breaks because there's an undocumented incompatibility between a specific version of library X and a specific version of library Y.