Quite good points! Don't consider scan results the trough because they are created by a computer.
I see it daily that snyk (a security scanner) reports vulnerabilities in dependencies that don't really apply to a project or get a way lowered severity because there are other measures in place to prevent this from happening.
Check the scan results and understand them properly before going crazy. Those tools are helpers, not decision makers.
This is my personal microblog. It's filled with my fun, joy and silliness.