I’m having a real problem at work with security theatre and the growing push to obsess over numbers of “vulnerabilities” in our projects. And then auto Dependabot PRs that encourage churn to fix issues that if an informed person actually reviews easily concludes it doesn’t affect us in the slightest.

"maybe high and critical vulnerabilities don’t need to be a minor version upgrade"

huh? what do you suggest instead?