On the other hand, if you know something is bad for false positives then unless it is so bad as to be unusable, you would expect that, on average, getting a few results is dubious, but lighting up like a christmas tree probably means something is actually there.
acdha|7 years ago
I've seen multiple tools in this class — code scanners, IDSes, or web app scanners — which caused security problems by training everyone to assume that the results are always false-positives until they missed something real or soaking up so much human time that nobody made progress on the major improvements which would have prevented a breach.