99% false positives is worse than nothing
You need below 5% false positives at the very worst, 1% is better (0% is impossible). Remember when Windows implemented UAC and programs triggered it every 5 minutes (because they weren't UAC-aware at the time) so everyone just turned it off because it was worse than useless? This is like that. You're not even going to notice a legitimate security issue in all the spam.
Eventually, if npm is actually more interested in making it useful rather than revenue enhancement, I think this can be largely mitigated. It's just a retread of what's been done before with compiler errors/warnings and lint errors/warnings though most of the JS people may have no idea what that even means or that this is hardly a new problem. The compiler (checker) gets better at deciding what's a real error and what's just a warning, the package authors get better about adapting their code to the compiler (checker) - which usually always results in better code - and then you get the option to manually disable specific things for specific packages. Just getting rid of the cascading errors (where a single thing generates 20 errors) would be a big start.