[starbeast]

On the other hand, if you know something is bad for false positives then unless it is so bad as to be unusable, you would expect that, on average, getting a few results is dubious, but lighting up like a christmas tree probably means something is actually there.

[acdha]

That's really not a safe assumption — an incorrect result repeated thousands of times does not become correct — and it definitely means that you now have a big problem of reviewing and validating tons of noise which will delay the time before you find whatever valid results are present.

I've seen multiple tools in this class — code scanners, IDSes, or web app scanners — which caused security problems by training everyone to assume that the results are always false-positives until they missed something real or soaking up so much human time that nobody made progress on the major improvements which would have prevented a breach.