I'm worried that this is going to be seen as a reason to not take "CRITICAL" disclosures seriously at first glance like we should. A "CRITICAL" bug MUST be treated as if it was critically bad. From a community health perspective, people have been told that something really bad is about to come out for a week and then had the rug pulled out from under them and now it's "nah we were wrong you're probably fine".
I totally agree. For a week, I was slightly anxious about the impact this vulnerability would have on our systems at work and my own private services. I relaxed a bit when I realised Debian 11 ships with OpenSSL 1.1.1 which is not impacted, but still was keeping my eye out for everything else.
Then, yesterday it turned out that - yes - it is bad, but in really specific, not even that often occurring circumstances. Combined with the re-framed impact level of 'high', that takes away believability of the initial 'this is really impactful!' news and the accompanying hype.