While I agree we should have a clear web page explaining the different CVEs and their applicability to Zend Server, Zend only produces updates for remotely exploitable issues. In fact, we don't consider non-remotely-exploitable issues as security issues at all.
FYI, there are discussions on php.net happening regarding whether or not issues that require developer access should even be reported as CVEs at all, as protecting PHP against a malicious developer is a hopeless endeavor to begin with.
We'll look into providing this information in a better way, so that you can know whether a particular CVE is something to worry about or not. The VAST MAJORITY of PHP CVEs are actually completely meaningless from a security perspective. In fact, the last real security issue in PHP was exactly one year ago, and was released by Zend at the same time as it became available as a part of a new PHP release.