Well like, you can download files using your browser, cmd, PowerShell etc etc so I'm not really seeing a security risk here? Not sure on the purpose of the DownloadFile switch on the program but I doubt it's used for any definition updates or the AV engine, that's already covered a different way. Wouldn't be surprised if the purpose is to be used for downloading files so that Defender scans them and rates them on the spot. Sadly the documentation doesn't currently have DownloadFile in there so we don't have the description of what Microsoft intends for that switch.
Either way this seems a little bit blown out of proportion, it's not adding any risk and multiple other programs and system tools allow you to do the exact same thing. Here's a good idea, don't download viruses, don't run random scripts, if something asks for administrative permissions that you did not expect close the dialogue (don't even click no unless you have to).
The reason there is no CVE, and likely never will be is because it's not a vulnerability, people doing dumb things with given tools don't get given CVE's.