Efficiency in finding isn't really the metric to consider. I'm sure a good security person could look at these and find the bugs, but nobody did.

IMHO, if you were to do a manual audit of the Linux kernel, the first thing to do is exclude all the stuff you're never going to run, because why spend time on it?

These scans are looking at everything, because once you set it up, the incremental cost to look at everything is not so bad.

This is going to push lesser used stuff out of the mainline, which sucks for people who were using it, but is better for everyone else.