[ethbr1]

On the other hand, scanners do flag CVEs (and therefore regulatory patch requirements are triggered by them).

So at the end of the day, it does apply patch pressure to regulated companies.

[dfox]

Autogenerated security audits that flag totally irellevant CVEs are another symptom of the same problem. Such scans usually only compare the version of the package in question, which breaks badly when distributions backport security patches and leads to complete irrelevant results when the "vulnerability" in question pertain to configuration that is not used (good example of that are CVEs for the mail-proxy component of nginx, which I assume most people do not even know exists, yet alone deploy). In the end the main effect is that if there was some real security issue, it would get buried deep in all that pointless busy-work that InfoSec comunity generates for everybody else.

[ethbr1]

100% granted: the avalanche of CVEs is a serious problem.

Which is why the scanner companies are actually providing a "tell me what I need to care about" service.

In general, it does feel like we're groping (blindly) towards a healthier future.