Severity ratings are used to indicate the level of risk associated with a security vulnerability or issue. This rating is typically based on factors such as the potential impact of the vulnerability, likelihood of it being exploited, and the ease of exploitation. Severity ratings used by Azure may differ from those used by MSRC, since they are tailored to the specific context and audience. For example, Azure may use a different set of severity ratings for its cloud services than MSRC uses for its software products.<sup>[1]<sup> As far as "Critical" rating missing, it could be due to the fact that not all vulnerabilities or issues are considered critical in every context. For example, a vulnerability that affects a low-impact service may not be considered critical, even if it has the potential to be exploited.<sup>[1]<sup>
Having said that, I couldn't find any specific guides or documentation leading to what establishes severity ratings in Azure Policy documentation. The closest I could find was Understand Azure Policy effects which discusses the evaluation mechanism of a policy and Get compliance data of Azure resources.
It would help to better know where you're retrieving those ratings from.
<sup>[1] - AI tools were used to generate this response</sup>