The problem is not the tools themselves (not entirely at least because they have many shortcomings, like not accounting for Debian/Ubuntu fixes backports) but how people (don't) analyze the results.
We do use vulnerability scanners (sending SBOMs to Dependency-Track) but this clearly requires work to analyze the results and determine if you're actually vulnerable (false positive, non-exploitable vuln, only if configured in some specific way, etc.)
Contacting project maintainers for assistance without even some prior analysis is just plain wrong I 💯 agree!

yeah, I also hear from many of these users that they have rules and regulations put in place that makes it mandatory for them to address all the complaints above a certain threshold from the scanners within N days. Which just makes everything even worse.