The difference between good and bad security product
Is the bad one are pushing tons of errors without checking dependencies/applicability in the context.
This is not only true for products for SW, but also for infra/cloud products.
For infra/cloud, there are one or 2 that do elaborated links models between security issues, and rate them according to applicability.
Basically, red means you're already pwned already.
Rest should be analyzed carefully, minus the info that can be ignored.