Very early in my career I'd take these vulnerability reports as a personal challenge and spent my day/evening proving it isn't actually exploitable in our environment. And I was often totally correct, it wasn't.

But... I spent a bunch of hours on that. For each one.

These days we just fix every reported vulnerable library, turns out that is far less work. And at some point we'd upgrade anyway so might as well.

Only if it causes problems (incompatible, regressions) then we look at it and analyze exploitability and make judgement calls. Over the last several years we've only had to do that for about 0.12% of the vulnerabilities we've handled.