Maybe they're still counting back ports as CVEs? (Seems like scanning software still always false positives on a listening port that flags for a version and doesn't take into account backport and doesn't actually test for the CVE/vuln-- it's so exasperating weeding through reports thrown at you by "Security")

But yeah seems unlikely that official Debian images would be full of CVEs unless they are not being regularly updated.