There is a lot more signal than noise, especially they way we aggregate the security reports. CSP can be deployed in report only mode, which provides a great way to detect how your policy has to come together.
I guess in my mind signal == attacks, but I guess there's also value in having reports when your policy broke things if you don't have other methods for detecting that, or if your integration tests disable CSP.