This is the same gripe I have over any LLM vulnerability tooling. 95% of what gets flagged is something that if taken by itself could be a vulnerability. However, the path to execute that specific vuln, in that specific function, is impossible in that particular code base and it just makes noise.