CVEs are not the ONLY vulnerabilities. In another words, CVE is a subset of vulnerabilities.
CVE stands for Common Vulnerabilities and Exposure. It is used to track security vulnerability. It has the format of CVE-YYYY-XXXXXXX, where YYYY denotes the year, and XXXXXXX is the tracking number.
By definition, a CVE is always equal to a vulnerability. But not every vulnerability has a CVE number.
For example, password configuration, such as password policy (length, complexity, renewal) has no CVE number assigned but is considered as vulnerability.
Next, mis-configurations, such as default admin credential or well-known login/password, and those ICMP configuration that leak system information, has no CVE number too. But those are always been highlighted by any vulnerability scanning tools.
Weak encryption (can is a kind of mis-configuration) can lead to disclosure of sensitive information, has not been assigned to any CVE number too.